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Abstract. We describe a simple, conceptual forward analysis procedure for oo-complete 
WSTS &. This computes the so-called clover of a state. When & is the completion of a 
WSTS X, the clover in & is a finite description of the downward closure of the reachability 
set. We show that such completions are oo-complete exactly when 3L is an uP -WSTS , a 
new robust class of WSTS. We show that our procedure terminates in more cases than 
the generalized Karp-Miller procedure on extensions of Petri nets and on lossy channel 
systems. We characterize the WSTS where our procedure terminates as those that are 
clover- flattable. Finally, we apply this to well-structured counter systems. 



1. Introduction 



Context. Well-structured transition systems (WSTS) are a general class of infinite-state 
systems where coverability — given states s,t, decide whether s (>;—>*;>) t, i.e., whether 
s > s\ —7-* t\ > t for some s±, t\ — is decidable, using a simple algorithm that works 



backwards [ Fin87l IFin90| FSOU lACJTOO 



The starting point of this paper and of its first part |FG09] is our desire to derive simi- 
lar algorithms working forwards, namely algorithms computing the cover \. Post* (J, s) of s. 
While the cover allows one to decide coverability as well, by testing whether t € \, Post* (\. s), 
it can also be used to decide [7-boundedness, i.e., to decide whether there are only finitely 
many states t in the upward-closed set U and such that s (>;—)•*) t. (cT-boundedness 
generalizes the boundedness problem, which is the instance of [/-boundedness where U is 
the entire set of states). No backward algorithm can decide this. In fact, c7-boundedness 
is undecidable in general, e.g., on lossy channel systems |CFP96j . So the reader should 
be warned that computing the cover is not possible for general WSTS. Despite this, the 
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known forward algorithms are felt to be more efficient than backward procedures in general: 
e.g., for lossy channel systems, although the backward procedure always terminates, only a 
(necessarily non-terminating) forward procedure is implemented in the TREX tool [A BJ98] . 
Another argument in favor of forward procedures is the followin g: for dep th-bounded pro- 
cesses, a fragment of the 7r-calculus, the backward algorithm of |ACJT00] is not applicable 
when the maximal depth of configurations is not known in advance because, in this case, 
the predecessor configurations are not effectively computable [WZHlOj. But the Expand, 
Enlarge and Check forward algorithm of [G RvB07| . which operates on complete WSTS, 
solves coverability even though the depth of the process is not known a priori [WZHIO] , 



State of the Art. Karp and Miller [KM69J proposed an algorithm, for Petri nets, which 
computes a finite representation of the cover, i.e., of the downward closure of the reach- 
ability set of a Petri net. Finkel |Fin87[ IFin90| introduced the framework of WSTS and 
generalized the Karp- Miller procedure to a class of WSTS. This was achieved by building 
a non-effective completion of the set of states, and replacing ^-accelerations of increasing 
sequences of states (in Petri nets) by least upper bounds. In [EN98, Fin90j a variant of 
this generalization of the Karp-Miller procedure was studied; but no guarantee was given 
that the cover could be represented finitely. In fact, no effective finite representations of 
downward-closed sets were given in |Fin90| . Finkel |Fin93| modified the Karp-Miller algo- 
rithm to reduce the size of the intermediate computed trees. Geeraerts et al. [GRvB07j 
recently proposed a weaker acceleration, which avoids some possible underapproximations 
in |Fin93| . Emerson and Namjoshi [EN98J take into account the labeling of WSTS and 
consequently adapt the generalized Karp-Miller algorithm to model-checking. They assume 
the existence of a compatible dcpo, and generalize the Karp-Miller procedure to the case of 
broadcast protocols (which are equivalent to transfer Petri nets). However, termination is 
then not guaranteed [EFM99J, and in fact neither is the existence of a finite representation 
of the cover. We solved the latter problem in [FG09J. 

Abdulla, Collomb-Annichini, Bouajjani and Jonsson proposed a forward procedure for 
lossy channel systems |ACABJ04| using downward-closed regular languages as symbolic 
representations. Ganty, Geeraerts, Raskin and Van Begin [GRvB06b, GRvB06aJ proposed a 
forward procedure for solving the coverability problem for WSTS equipped with an effective 
adequate domain of limits, or equipped with a finite set D used as a parameter to tune the 
precision of an abstract domain. Both solutions ensure that every downward-closed set has 
a finite representation. Abdulla et al. [ACABJ04J applied this framework to Petri nets and 
lossy channel systems. Abdulla, Deneux, Mahata and Nylen proposed a symbolic framework 
for dealing with downward-closed sets for Timed Petri nets |ADMN04a| . 



Our Contribution. First, we define a complete WSTS as a WSTS & whose well-ordering 
is also a continuous dcpo (a dcpo is a directed complete partial ordering). This allows us to 
design a conceptual procedure Clover© that looks for a finite representation of the downward 
closure of the reachability set, i.e., of the cover [Fin90j. We call such a finite representation 
a clover (for closure of cover). This clearly separates the fundamental ideas from the data 
structures used in implementing Karp-Miller-like algorithms. Our procedure also terminates 
in more cases than the well-known (generalized) Karp-Miller procedure [EN 9 8,, Fin90j. We 
establish the main properties of clovers in Section [3] and use them to prove Clover@ correct, 
notably, in Section [5] 
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Second, we characterize complete WSTS for which Clover© terminates. These are the 
ones that have a (continuous) flattening with the same clover. This establishes a surprising 
relationship with the theory of flattening [BFLS05J. The result (Theorem 5.21), together 
with its corollary on covers, rather than clovers (Theorem 5.26), is the main achievement of 
this paper. 

Third, and building on our theory of completions [FG09J, we characterize those WSTS 
whose completion is a complete WSTS in the sense above. They are exactly the u 2 -WSTS , 
i.e., those whose state space is w 2 -wqo (a wqo is a well quasi-ordering), as we show in 
Section |4] All naturally occurring WSTS are in fact w 2 -WSTS. We shall also explain why 
this study is important: despite the fact that Clover© cannot terminate on all inputs, that 
(3 is an w 2 -WSTS will ensure progress, i.e., that every opportunity of accelerating a loop 
will eventually be taken by Clover© • 

Finally, we apply our framework of complete WSTS to counter systems in Section [6] We 
show that affine counter systems may be completed into oo-complete WSTS iff the domains 
of the monotonic affine functions are upward-closed. 



2. Preliminaries 



2.1. Posets, Dcpos. We borrow from theories of order, as used in model-checking lACJTOOl 
IFSDIj . and also from domain theory jAJ94l lGHK+03] . A quasi- ordering < is a reflexive and 
transitive relation on a set X. It is a (partial) ordering iff it is antisymmetric. 

We write > for the converse quasi-ordering, < for the associated strict ordering (< \ >), 
and > the converse (> \ <) of <. There is also an associated equivalence relation =, defined 
as < n >. 

A set X with a partial ordering < is a poset (X, <), or just X when < is clear. If X 
is merely quasi-ordered by <, then the quotient X/= is ordered by the relation induced by 
< on equivalence classes. So there is not much difference in dealing with quasi-orderings or 
partial orderings, and we shall essentially be concerned with the latter. 

The upward closure \ E of a set E in X is {y E X \ 3x £ E ■ x < y}. The downward 
closure J, E is {y £ X \ 3x E E ■ y < x}. A subset E of X is upward-closed if and only if 
E = f E. Downward-closed sets are defined similarly. A basis of a downward-closed (resp. 
upward-closed) set E is a subset A such that E = (resp. E = f A); E has a finite basis 
iff A can be chosen to be finite. 

A quasi-ordering is well-founded iff it has no infinite strictly descending chain xq > x\ > 
... > X{ > ... An antichain is a set of pairwise incomparable elements. A quasi-ordering 
is well iff it is well-founded and has no infinite antichain; equivalently, from any infinite 
sequence Xq, X\, . . . , Xi, . . ., one can extract an infinite ascending chain x^ ^ ^ . . . ^ 

Xi k < • • ., with iq < i\ < . . . < if. < While wqo stands for well-quasi-ordered set, we 

abbreviate well posets as wpos. 

An upper bound x £ X of E C X is such that y < x for every y £ E. The least upper- 
bound (lub) of a set E, if it exists, is written lub(E). An element x of E is maximal (resp. 
minimal) iff fx D E = {x} (resp. D E = {x}). Write MaxE (resp. MinE) for the set of 
maximal (resp. minimal) elements of E. 

A directed subset of X is any non-empty subset D such that every pair of elements of 
D has an upper bound in D. Chains, i.e., totally ordered subsets, and one-element sets are 
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examples of directed subsets. A dcpo is a poset in which every directed subset has a least up- 
per bound. For any subset E of a dcpo X, let hub(E) = {lub(D) | D directed subset of E}. 
Clearly, E C Lub(E); Lub(E) can be thought of E plus all limits from elements of E. 

The way below relation Cona dcpo X is defined by x <C y iff, for every directed subset 
D such that lub(D) < y, there is a z G D such that x < z. Note that x <C y implies x < y, 
and that x' < x y < y' implies x' <C y'. Write ^Z? = {i/GX|3i;Gi? i i/< x}, and 
^x = ^{x}. X is continuous iff, for every x S X, |x is a directed subset, and has x as least 
upper bound. 

When < is a well partial ordering that also turns X into a dcpo, we say that X is 
a directed complete well order, or dcwo. We shall be particularly interested in continuous 
dcwos. 

A subset U of a dcpo X is (Scott-) open iff U is upward-closed, and for any directed 
subset D of X such that lub(D) G J7, some element of D is already in [/. A map / : X — > X 
is (Scott-) continuous iff / is monotonic [x < y implies f(x) < /(y)) and for every directed 
subset D of X, lub(/(D)) = /(lub(D)). Equivalently, / is continuous in the topological 
sense, i.e., f (U) is open for every open U. 

A weaker requirement is ^-continuity: / is ui- continuous iff lub{/(x n ) | n G N} = 
/(lub{x n | n G N}), for every countable chain (x n ) ngN . This is all we require when we 
define accelerations, but general continuity is more natural in proofs. We won't discuss this 
any further: the two notions coincide when X is countable, which will always be the case 
of the state spaces X we are interested in, where the states should be representable on a 
Turing machine, hence at most count ably many. 

The closed sets are the complements of open sets. Every closed set is downward-closed. 
On a dcpo, the closed subsets are the subsets B that are both downward-closed and inductive, 
i.e., such that Lub(£?) = B. An inductive subset of X is none other than a sub-dcpo of X. 

The closure cl(A) of A C X is the smallest closed set containing A. This should not be 
confused with the inductive closure Ind(^4) of A, which is obtained as the smallest inductive 
subset B containing A. In general, ^A C Lub(J,^4) C Ind(J,^4) C cl(A), and all inclusions 
can be strict. Consider X = Nfj, where k G N, and N w denotes N with a new element uj 
added, ordered by (n 1 , n 2 , ■ ■ ■ , n k ) < {n' x ,n' 2 , ... , n' k ) iff (m, n 2 , . . . , n k ) = (n'^n^, ■■■ , n' k ), 
or for some i, 1 < i < k, n\ = = n 2 = n' 2 = . . . = Ui—i = n' i _ 1 = uj, ra, 7^ uj, and either 
n! i = oj or m < n't G N. Then take A = N fc C X: \.A = A, but Lub(|A) = N w x n^ 1 
is strictly larger; in fact Lub(Lub(|^4)) = N^, x N fc ~ 2 is even larger, Lub 4 (4^4) = 
Lub(Lub l_1 (4,74)) equals x N fc ~* for all i, 2 < i < k, and this is a strictly increasing 
chain of subsets. All of them are contained in Ind(\,A) = N^, which coincides with cl(A) 
here. It may also be the case that Ind(^ A) is strictly contained in cl{A): consider the set X 
of all pairs (i, m) with i G {0, 1}, m G N, plus a new element uj, ordered by (i,m) < (j,n) 
iff i = j and m = n, and (i, m) < uj for all (i, m) G X, and let A = {(0, m) \ m G N}; Then 
Ind(^j4) = AU {uj}, but the latter is not even downward- closed, so is strictly smaller than 
cl{A); in fact cl(A) is the whole of X. 

All this nitpicking is irrelevant when X is a continuous dcpo, and A is downward-closed 
in X. In this case indeed, Lub(A) = Ind(A) = cl{A). This is well-known, see e.g., [PG09, 
Proposition 3.5], and will play an important role in our constructions. As a matter in fact, 
the fact that Lub(^4) = cl{A), in the particular case of continuous dcpos, is required for lub- 
accelerations to ever reach the closure of the set of states that are reachable in a transition 
system. 
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2.2. Well-Structured Transition Systems. A transition system is a pair 6 = (S, — >) 
of a set S, whose elements are called states, and a transition relation — > C S X S. We 
write s — > s' for (s,s') G — K Let A be the transitive and reflexive closure of the relation 
— K We write Poste(s) = {s' G S \ s — > s'} for the set of immediate successors of the 
state s. The reachability set of a transition system & = (S, — >) from an initial state sq is 

Postg(so) = {s G S | s A s}. 

We shall be interested in effective transition systems. Intuitively, a transition system 
(S, — >) is effective iff one can compute the set of successors Posters) of any state s. We shall 
take this to imply that PostQ(s) is finite, and each of its elements is computable, although 
one could imagine that Post<$(s) be described differently, say as a regular expression. 

Formally, one needs to find a representation of the states s G S. A representation map 
is any surjective map r : E — )• S from some subset E of N to S. If e G E is such that 
r(e) = s, then one says that e is a code for the state s. 

An effective transition system is a 4-tuple (S,^-,r,post), where (5,—)-) is a transition 
system, r : i£ — > S is a representation map, and post : -E —> Pg n (i?) is a computable map such 
that, for every code e, r(post(e)) = Poste(r(e)). We write r{A) the image {r(a) | a G A} 
of the set A by r, and Pfin(-E') is the set of finite subsets of E. A computable map from E 
to Pfm(-E') is by definition a partial recursive map post : N — > Pfi n (N) that is defined on all 
elements of E, and such that post(e) G Pfi n (£') for all e £ E. 

For reasons of readability, we shall make an abuse of language, and say that the pair 
(S, — >) is itself an effective transition system in this case, leaving the representation map r 
and the post function implicit. 

An ordered transition system is a triple (3 = (S,—>,<) where (S, — >) is a transition 
system and < is a partial ordering on S. We say that (S,—>,<) is effective if (S,—>) is 
effective and if < is decidable. 

This is again an abuse of language: formally, an effective ordered transition system is a 
6-tuple (S, —>-,<, r, post, ^) where (S 1 , —>•,<) is an ordered transition system, (S,—>,r,post) 
is an effective transition system, and ^ is a decidable relation on E such that e X e' iff 
r(e) < r(e'). By decidable on E, we mean that ^ is a partial recursive map from N x N to 
the set of Booleans, which is defined on E x E at least. 

We say that (3 = (S, <) is monotonic (resp. strictly monotonic) iff for every s, s', si G 
S such that s — > s' and si > s (resp. s\ > s), there exists an s^ G S such that si A s^ and 
s'l > s' (resp. > s'). & is strongly monotonic iff for every s,s',si G S such that s — > s' 
and si > s, there exists an s'i G 5 such that si — >■ s^ and s\ > s'. 

Finite representations of Postg(s), e.g., as Presburger formulae or finite automata, 
usually don't exist even for monotonic transition systems (not even speaking of being com- 
putable). However, the cover CoverQ(s) = I Posted s) (= |Postg(s) when <3 is mono- 
tonic) will be much better behaved. Note that being able to compute the cover allows one 
to decide coverability: s (>;—)•*; >) t iff t € CoverQ(s). In most cases we shall encounter, 
it will also be decidable whether a finitely represented cover is finite, or whether it meets a 
given upward-closed set U in only finitely many points. Therefore boundedness (is Post^ (s) 
finite?) and U -boundedness (is Postg(s) H U finite?) will be decidable, too. 

An ordered transition system (3 = (S,—>,<) is a Well Structured Transition System 
(WSTS) iff & is monotonic and (S, <) is wpo. This is our object of study. 

For strictly monotonic WSTS, it is also possible to decide the boundedness problem, with 
the help of the Finite Reachability Tree (FRT) |Fin90] . However, the place-boundedness 
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problem (i.e., to decide whether a place can contain an unbounded number of tokens) remains 
undecidable for transfer Petri nets |DFS98| . which are strictly monotonic WSTS, but it is 
decidable for Petri nets. It is decided with the help of a richer structure than the FRT, the 
Karp-Miller tree. The set of labels of the Karp-Miller tree is a finite representation of the 
cover. 

We will consider transition systems that are functional, i.e., defined by a finite set of 
transition functions. This is, as in |FG09| . for reasons of simplicity. However, our Clovere 
procedure (Section [5]) , and already the technique of accelerating loops (Definition 3.3) de- 
pends on the considered transition system being functional. 

F 

Formally, a functional transition system (S, — >) is a labeled transition system where the 
p 

transition relation —> is defined by a finite set F of partial functions / : S — > S, in the 

F 

sense that for every s,s' G S, s — > s' iff s' = f(s) for some / G F. If additionally, a partial 
ordering < is given, a map / : S — > S is partial monotonic iff dom / is upward-closed and 
for all x, y G dom / with x < y, f{x) < f(y)- An ordered functional transition system is an 

ordered transition system (5 = (S, — >, <) where F consists of partial monotonic functions. 
This is always strongly monotonic. A functional WSTS is an ordered functional transition 
system where < is a well-ordering. 

F 

A functional transition system (S, — >) is effective if every / G F is computable: given 
a state s and a function /, we can decide whether s G dom / and in this case, one can also 
compute f(s). 

For example, every Petri net, every reset/transfer Petri net, and in fact every affine 
counter system (see Definition 6.2) is an effective, functional WSTS. 

Lossy channel systems |ACABJ04] are not functional: any channel can lose a letter at 
any position, and although one may think of encoding this as a functional transition system 
defined by functions fi for each i, where /, would lose the letter at position i, this would 
require an unbounded number of functions. However, for the purpose of computing covers, 
lossy channel systems are equivalent [SchOlJ ("equivalent" means that the decidability status 
of the usual properties is the same for both models) to functional-lossy channel systems, 
which are functional [FG09J. In the latter, there are functions send a to add a fixed letter 
a to the back of each queue (i.e., dom(send a ) = £*, where £ is the queue alphabet, and 
send a (u>) = wa), and functions recv a to read a fixed letter a from the front of each queue, 
where reading is only defined when there is an a in the queue, and means removing all letters 
up to and including the first a from the queue (i.e., dom(recv a ) = {waw' \ w,w' G £*}, 
recv a (waw') 



3. Clovers of Complete WSTS 



3.1. Complete WSTS and Their Clovers. All forward procedures for WSTS rest on 
completing the given WSTS to one that includes all limits. E.g., the state space of Petri 
nets is N fc , the set of all markings on k places, but the Karp-Miller algorithm works on 
N^, where is N plus a new top element oj, with the usual componentwise ordering. We 
have defined general completions of wpos, serving as state spaces, and have briefly described 
completions of (functional) WSTS in [FG09]. We temporarily abstract away from this, and 
consider complete WSTS directly. 

Generalizing the notion of continuity to partial maps, we define: 
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Figure 1: The clover and the cover, in a complete space 

Definition 3.1. A partial continuous map / : X — >• X, where (X, <) is a dcpo, is a partial 
map whose domain dom / is open (not just upward-closed) , and such that for every directed 
subset D in dom/, lub(/(D)) = /(lub(D)). 

This is the special case of a more topological definition: in general, a partial continuous 
map / : X — > Y is a partial map whose domain is open in X, and such that / _1 (J7) is open 
(in X, or equivalently here, in dom/) for any open U of Y . 

The composition of two partial continuous maps again yields a partial continuous map. 

Definition 3.2 (Complete WSTS). A complete transition system is a functional transition 

system (3 = (S, — >, <) where (S, <) is a continuous dcwo and every function in F is partial 
continuous. 

A complete WSTS is a functional WSTS that is complete as a functional transition 
system. 

The point in complete WSTS is that one can accelerate loops: 

Definition 3.3 (Lub- acceleration). Let (X, <) be a dcpo, / : X — > X be partial continuous. 
The lub- acceleration f°° : X — > X is defined by: dom/°° = dom/, and for any x £ dom/, 
if x < f{x) then f°°{x) = lub{f n (x) | n £ N}, else f°°{x) = f(x). 

Note that if x < f(x), then f(x) 6 dom/, and f(x) < f 2 (x). By induction, we can 
show that {f n (x) \ n S N} is an increasing sequence, so that the definition makes sense. 

Complete WSTS are strongly monotonic. One cannot decide, in general, whether a 
recursive function / is monotonic [FMP04J or continuous, whether an ordered set (S, <) 
with a decidable ordering <, is a dcpo or whether it is a wpo. To show the latter claim for 
example, fix a finite alphabet S, and consider subsets S of S* specified by a Turing machine 
Ai with tape alphabet S, so that S is the language accepted by M. Let < be, say, the 
prefix ordering on £*. The property that (5, <) is a dcpo, resp. a wpo, is non-trivial and 
extensional, hence undecidable by Rice's Theorem. 

We can also prove that given an effective ordered functional transition system, one 
cannot decide whether it is a WSTS, or a complete WSTS, in a similar way. However, the 
completion of any functional w 2 -WSTS is complete, as we shall see in Theorem 



4.4 



In a complete WSTS, there is a canonical finite representation of the cover: the clover 
(a succinct description of the c/osure of the cover). 

Definition 3.4 (Clover). Let & = (S, -)■, <) be a complete WSTS. The clover Clover&(so) 
of the state so £ S is Max Lub( Cohere (so)). 
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This is illustrated in Figure [T] The "down" part on the right is meant to illustrate in 
which directions one should travel to go down in the chosen ordering. The cover Cover© (so) 
is a downward-closed subset, illustrated in blue (grey if you read this in black and white). 
Lub(Ccwer@(,so)) has some new least upper bounds of directed subsets, here x\ and X3. The 
clover is given by just the maximal points in Lub(Cofer@(so)), here xi, X2, £3, X4. 

The fact that the clover is indeed a representation of the cover follows from the following. 

Lemma 3.5. Let (S,<) be a continuous dcwo. For any closed subset F of S, MaxF is 
finite and F = J, MaxF. 

Proof. As F is closed, it is inductive (i.e., Lub(F) = F). In particular, every element x 
of F is below some maximal element of F. This is a well-known, and an easy application 
of Zorn's Lemma. Since F is downward-closed, F = ^MaxF. Now every two elements of 
MaxF are incomparable, i.e., MaxF is an antichain: since S is wpo, MaxF is finite. fj 



Remark 3.6. Lemma \3.5\ generalizes to Noetherian spaces, which extend wqos |Gou07| : 
every closed subset F of a sober Noetherian space S is of the form J, MaxF, with MaxF 
finite |Gou07| Corollary 6.5]. Wpos are sober, and every continuous dcpo is sober in its Scott 
topology [AJ94, Proposition 7.2.27]. 

Proposition 3.7. Let & = (S, — >, <) be a complete WSTS, and sq G S. Then CloverQ(so) 
is finite, and cl(Cover&(so)) = \, Clover q{sq). 

Proof. Lub (C over q(sq)) = cl(CoverQ(so)) since Cower© (so) is downward-closed, and S is 



a continuous dcpo. Now use Lemma 3.5 on the closed set Lub(Coi>er©(so))- D 

For any other representative, i.e., for any finite set R such that \,R = ^ Clover q{sq), 
CloverQ^so) = Maxi?. Indeed, for any two finite sets A, B C S such that \,A = \.B, 
Maxj4 = Maxi?. So Clover is the minimal representative of the cover, i.e., there is no 
representative R with \R\ < \Clover&(so)\. The clover was called the minimal coverability 
set in |Fin93j . 

Despite the fact that the clover is always finite, it is non-computable in general (see 
Proposition |4.6| below) . Nonetheless, it is computable on flat complete WSTS, and even on 



the larger class of clover-flattable complete WSTS (Theorem 5.21| below). 



3.2. Completions. Many WSTS are not complete: the set N k of states of a Petri net with 
k places is not even a dcpo. The set of states of a lossy channel system with k channels, 
(X*) fe , is not a dcpo for the subword ordering either. We have defined general completions 
of wpos, and of WSTS, in |FG09j. a construction which we recall quickly. 

The completion X of a wpo (X, <) is defined in any of two equivalent ways. First, X 
is the ideal completion Id\(X) of X, i.e., the set of ideals of X, ordered by inclusion, where 
an ideal is a downward-closed directed subset of X. The least upper bound of a directed 
family of ideals (Di) i&1 is their union. X can also be described as the sobrification S(X a ) 
of the Noetherian space X a , but this is probably harder to understand. 

There is an embedding rjx : X — >• X, i.e., an injective map such that x < x 1 in X iff 
f]x{x) < Tix(x') in X. This is defined by rjx(x) = \.x. This allows us to consider I as a 
subset of X, by equating X with its image rjx{X), i.e., by equating each element x € X 
with |i6l. However, we shall only do this in informal discussions, as this tends to make 
proofs messier. 
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For instance, if X = N k , e.g., with k = 3, then (1,3,2) is equated with the ideal 
4,(1,3,2), while {(l,m, n) \ m,n G N} is a limit, i.e. an element of X \ X; the latter 
is usually written (1,gj,uj), and is the least upper bound of all (l,m,n), m,n G N. The 
downward-closure of (l,u;,u;) in X, intersected with X, gives back the set of non-limit 
elements {(l,m,n) |m,n€ N}. 

This is a general situation: one can always write X as the disjoint union XL) L, so that 
any downward-closed subset D of X can be written as X Pi A, where A is a finite subset of 
X U L. Then L, the set of limits, is a weak adequate domain of limits (WADL) for X — we 
slightly simplify Definition 3.1 of [FG09], itself a slight generalization of [GRvB06b]. In fact, 
X (minus X) is the smallest WADL |FG09[ Theorem 3.4]. 

X = Id\{X) is always a continuous dcpo. In fact, it is even algebraic |AJ94| Proposi- 



tion 2.2.22]. It may however fail to be well, hence to be a continuous dcwo, see Proposition 4.2 
below. 

We have also described a hierarchy of datatypes on which completions are effective 

|FG09I Section 5]. Notably, N = N w , A = A for any finite poset, and nf=i X = Ui=i x i- 
Also, X* is the space of word-products on X. These are the products, as defined in [ABJ98J, 
i.e., regular expressions that are products of atomic expressions A* (A G Pg n (A A ), 4^0) 
or a ? (a G X). In any case, elements of completions X have a finite description, and the 
ordering C on elements of X is decidable [FG09, Theorem 5.3]. 

Having defined the completion X of a wpo X, we can define the completion & = X 
of a (functional) WSTS X = (X,4,<) as (X,^>,C), where SF = {Sf \ f G F} |FG091 
Section 6]. For each partial monotonic map / G F, the partial continuous map Sf : X — > X 
is such that domSf = {C G X \ Cndomf / 0}, and Sf(C) =if(C) for every C G X. In 
the cases of Petri nets or functional-lossy channel systems, the completed WSTS is effective 
|FG091 Section 6]. 

The important fact, which assesses the importance of the clover, is Proposition |3.9| 
below. We first require a useful lemma. Up to the identification of X with its image r/x{X), 
this states that for any downward-closed subset F of X, cl{F) C\X = F PiX, i.e., taking the 
closure of F only adds new limits, no proper elements of X. 

Lemma 3.8. Let X be a wpo. For any downward- closed subset F of X, ru^{cl{F)) = 
VxHF). 

Proof. We show that if^-{d{F)) C rj x l (F); the converse inclusion is obvious. Since X = 
Idl(X) is a continuous dcpo, cl(F) = Lub(i ? ). Take any x G r] x l (cl(F)): then r)x(%) = \-x 
is the least upper bound of a directed family of ideals Di in F, i G /: = Uie/ ^i- So x 
is in Di for some i £ I, hence r]x{x) = ^x C Dj, i.e., rjx(x) is below Di in X. Since F is 
downward-closed and Di G F, i]x(x) is also in F, i.e., x G ^^(F). fj 

Up to the identification of X with r/x(X), the next proposition states that Coverx(so) = 
CoverQ(so) n X = \,Clover@(so) Pi X. In other words, to compute the cover of so in the 
WSTS X on the state space X, one can equivalently compute the cover so in t he co mpleted 
WSTS X, and keep only those non-limit elements (first equality of Proposition 3.9). Or one 
can equivalently compute the closure of the cover in the completed WSTS X, in the form 
of the downward closure ^ Clover q{sq) of its clover. The closure of the cover will include 
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Figure 2: The clover and the cover, in a completed space 



extra limit elements, compared to the cover, but no non-limit element by Lemma 3.8 This 
is illustrated in Figure [2] 

Proposition 3.9. Let & = X be the completion of the functional WSTS X = (X, —>■,<). 
For every state s G X, Coverx(s ) = T} x l {Covere(r]x{sQ))) = r] x A (iClover & (r]x(so))) . 

Proof The first equality actually follows from Proposition 6. 1 of [FG09J . To be self-contained, 
we give a direct proof: this will be a consequence of (1) and (2) below. The second equality 
is a consequence of Proposition |3.7| and Lemma |3.8| 

First, we show that: (1) r\Z (CoverQ(r]x{so))) Q Coverx(so). Let x be any element 
of ^^(CoverQ^xiso))), i.e., \,x is in CoverQ(r)x(so)). By definition, there is a natural 
number k, and k + 1 elements Co = i]x( s o), Ci, . . . , C\ in X, and k partial monotonic maps 
fi, . . . , fk in F such that |i C Cfc, and Cj = S/j(Cj_i) for every i, 1 < i < k. 

Since \.x C Ck = S fk{Ck-\) = i fk{Ck-i) , there is an element x^_i G Cjt_i fl dom/^ 
such that x < fk{xk-\)- Similarly, there is an x^-2 G Cfc_2 fl dom/fc_i such that < 
/fc-lOEfc-2)) • • • , an xi G Ci n dom/2 such that X2 < f2(xi), and an xo G Co n dom/i such 
that x\ < /i(xo). Since Co = r)x(so) = |so, we have xq < sq. Using the fact that f\, . . . , 
fk are partial monotonic, x < fk(fk-i(- ■ ■ (/2(/i(so)))), so x G Cover x (s ). 

Conversely, we show: (2) Coverx(so) Q ??x 1 (Couere(??x(so)))- Let x G Coverx{so). 
So there is a natural number k G N, and there are fc maps /1, . . . , fk in i 7 such that x < 
/fc(/fe-l(- • • (/2(/l(so))))); the latter notation in particular implies that . . (/ 2 (/i(so)))) 
is defined for alii, < i < fc. For every i, < i < k, define Cj as 4/i(/i-i(- • • (/2(/l( s o)))))- 
We claim that whenever i > 1, Cj = 5/j(C_i). Indeed, 5/j(Cj_i) = i/j(Cj_i) = 
l/i(4-/i-l(- • • (/2(/i(so))))>- Since /j is partial monotonic, |/j(|y) = for every y. So 

Sfi{Ci-\) = Cj. Next, Co = 4 so; and J,x C C&, since x £ Ck and Cfc is downward-closed. 
So J. x is in Covers(i so), i.e., rjx(x) is in Covers(rjx(so))- □ 

Ccwerg^o) i s contained, usually strictly, in Clover q(sq). The above states that, 
when restricted to non-limit elements (in X), both contain the same elements. Taking lub- 
accelerations (Sf)°° of any composition / of maps in F may leave Couer@(so), but is always 
contained in \ r CloverQ{so) = cl(Covere(so)). So we can safely lub- accelerate in 6 = X to 
compute the clover in 6. While the clover is larger than the cover, taking the intersection 
back with X will produce exactly the cover Coverx(so). 

In more informal terms, the cover is the set of states reachable by either following the 
transitions in F, or going down. The closure of the cover ^ CloverQ(so) contains not just 
states that are reachable in the above sense, but also the limits of chains of such states. 
One may think of the elements of \,CloverQ(so) as being those states that are "reachable 
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in infinitely many steps" from sq. And we hope to find the finitely many elements of 
CloverQ^so) by doing enough lub- accelerations. 

4. A Robust Class of WSTS: w 2 -WSTS 

It would seem clear that the construction of the completion (3 = X of a WSTS X = (X, —>•,<) 
be, again, a WSTS. We shall show that this is not the case. The only missing ingredient 
to show that & is a complete WSTS is to check that X is well-ordered by inclusion. We 
have indeed seen that X is a continuous dcpo; and & is strongly monotonic, because Sf is 
continuous, hence monotonic, for every / S F. 

Next, we shall concern ourselves with the question: under what condition on X is & = X 
again a WSTS? Equivalently, when is X well-ordered by inclusion? We shall see that there 
is a definite answer: when X is u> 2 -wqo. 

4.1. Motivation. The question may seem mostly of academic interest. Instead, we illus- 
trate that it is crucial to establish a progress property described below. 

Let us imagine a procedure in the style of the Karp-Miller tree construction. We shall 
provide an abstract version of one, Clovere, in Section [5] However, to make things clearer, 
we shall use a direct imitation of the Karp-Miller procedure for Petri nets for now, generalized 
to arbitrary WSTS. This is a slight variant of the generalized Karp-Miller procedure of 
[Fin87, Fin90], and we shall therefore call it as such. 

We build a tree, with nodes labeled by elements of the completion X, and edges labelled 
by transitions / E F. During the procedure, nodes can be marked extensible or non- 
extensible. We start with the tree with only one node labeled so, and mark it extensible. At 
each step of the procedure, we pick an extensible leaf node N, labeled with s £ X, say, and 
add new children to N. For each / 6 F such that s 6 dom«S/, let s' = Sf(s), and add a new 
child N' to N. The edge from N to N' is labeled /. If s' already labels some ancestor of N' , 
then we label N' with s' and mark it non-extensible. If s" < s' for no label s" of an ancestor 
of N', then we label N' with s' and mark it extensible. Finally, if s" < s' for some label s" 
of an ancestor Nq of N' (what we shall refer to as case (*) below), then the path from Nq 
to N' is labeled with a sequence of functions fi, . . . , f p from F, and we label N' with the 
lub-acceleration (f p o , . . o /i)°°(s"). (There is a subtle issue here: if there are several such 
ancestors Nq, then we possibly have to lub-accelerate several sequences /i, . . . , f p from the 
label s" of Nq: in this case, we must create several successor nodes N', one for each value 
of (fp o . . . o /i)°°(s").) When X = N k and each / £ F is a Petri net transition, this is the 
Karp-Miller procedure, up to the subtle issue just mentioned, which we shall ignore. 

Let us recall that the Karp-Miller tree (and also the reachability tree) is finitely branch- 
ing, since the set F of functions is finite. This will allow us to use Konig's Lemma, which 
states that any finitely branching, infinite tree has at least one infinite branch. 

The reasons why the original Karp-Miller procedure terminates on (ordinary) Petri nets 
are two-fold. First, when X = N*, one cannot lub-accelerate more than k times, because 
each lub-acceleration introduces a new u component to the label of the produced state, 
which will not disappear in later node extensions. This is specific to Petri nets, and already 
fails for reset Petri nets, where oj components do disappear. 

The second reason is of more general applicability: X = N* is wpo, and this implies 
that along every infinite branch of the tree thus constructed, case (*) will eventually happen, 
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Figure 3: The reset Petri net from [DFS98j 



and in fact will happen infinitely many times. Call this progress: along any infinite path, 
one will lub-accelerate infinitely often. In the original Karp-Miller procedure for Petri nets, 
this will entail termination. 

As we have already announced, for WSTS other than Petri nets, termination cannot be 
ensured. But at least we would like to ensure progress. The argument above shows that 
progress is obtained provided X is wpo (or even just wqo). This is our main motivation in 
characterizing those wpos X such that X is wpo again. 

Before we proceed, let us explain why termination cannot be ensured. Generally, this 
will follow from undecidability arguments (e.g., Proposition 4.6 below). Here is a concrete 
case of non-termination. Consider the reset Petri net of [DFS98, Example 3], see Figure [3] 
This net has 4 places and 4 transitions, hence defines an transition system on N 4 . Its 
transitions are: t\(n\, n 2 , n^, n 4 ) = (m, re 2 — 1, 713, n& + 1) ifm,n 2 — 1) £2(^1, 1^2, n^, 714) = 
(m - 1,0, n 3 + 1,744) if ni > 1, h(ni,n 2 ,n3,n A ) = (rti,n 2 + l,7t 3 ,n 4 - 1) if n 3 ,n 4 > 1, and 
£ 4 (ni,ra 2 ,n 3 ,n 4 ) = (rii + 1, n 2 + l, n 3 - 1, 0) ifn 3 > 1. Note that t 4 (t£ 2 (t 2 (t" 2 (l, n 2 , 0, 0)))) = 
(1, n 2 + 1,0, 0) whenever n 2 > 1. The generalized Karp-Miller tree procedure, starting from 
■So = (1,1,0,0), will produce a child labeled (1,0,0,1) through t\, then (0,0,1,1) through 
t 2 , then (0,1,1,0) through £3. Using i 4 leads us to case (*) with s' = (1,2,0,0). So the 
procedure will lub-accelerate the sequence t^t^t^, starting from sq = (1, 1,0,0). However 
(i 4 o t 3 o t 2 o ti)(s') = (1, 1, 0, 0) = s' again, so the sequence of iterates (i 4 o t 3 o t 2 o £i) n (so) 
stabilizes at s', and (t 4 o i 3 o i 2 o ti)°°(so) = s'. So the procedure adds a node labeled s' = 
(1,2,0,0). Similarly, starting from the latter, the procedure will eventually lub-accelerate 
the sequence tft 2 t|t 4 , producing a node labeled (1,3,0,0), and in general produce nodes 
labeled + 1,0,0) for any i > 1 after having lub-accelerated the sequence t\t2t\t/± from 
a node labeled (1, i, 0, 0). In particular, the generalized Karp-Miller tree procedure will 
generate infinitely many nodes, and therefore fail to terminate. 

This example also illustrates the following: progress does not mean that we shall even- 
tually compute limits g°°(s) that could not be reached in finitely many steps. In the example 
above, we do lub-accelerate infinitely often, and compute (i 4 o f 3 o t 2 o t\) (1, «, 0, 0), but 
none of these lub-accelerations actually serve any purpose, since (t 4 o t\ o i 2 o t\) (1, i, 0, 0) = 
(1, i + 1, 0, 0) is already equal to (t 4 o t\ o t 2 ° t\)(l, i, 0, 0). 

Progress will take a slightly different form in the actual procedure Cloverg of Section [5] 
In fact, the latter will not build a tree, as the tree is in fact only algorithmic support for 
ensuring a fair choice of a state in X, and essentially acts as a distraction. However, 
progress will be crucial (Proposition 5.4 states that if the set of values computed by the 
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Figure 4: Ideals in Rado's Structure 



procedure Cloverg is finite then Clover© terminates) in our characterization of the cases 



where Cloverg terminates (Theorem 5.21), as those states that are clover-flattable (see 



Section [5]). Without it, Clover@ would terminate in strictly less cases. 

4.2. The Rado Structure. We now return to the purpose of this section: showing that X 
is well-ordered iff X is u; 2 -wqo. We start by showing that , in some cases, X is indeed not 
well-ordered. 

Take X to be Rado's structure X-^ado |Rad54) . i.e., {(m,n) £ N 2 | m < n}, ordered by 
<Rado : ( m , n ) <Rado ( m ' , n') iff m = m' and n < n', or n < m' . It is well-known that <R a do 
is a well quasi-ordering, and that P(XR a d ) is not well-quasi-ordered by <f^ ac j , defined as 
A <f^ a( j B iff for every y € B, there is a x S A such that x <R a do V | Jan99| . (Equivalently, 
^<Ldo^ifftSC t A) 

Consider indeed cjj = {(i, n) \ n > i + 1} U {(m, n) £ -^Rado I n < i ~ 1}> f° r each i6ff. 
This is pictured as the dark blue (or dark grey) region in Figure |4j and arises naturally in 



Lemma 4.1 below. Note that oj{ is downward-closed in <R a do- Consider the complement cjj 
of Ui, and note that aJj <p^ ado Uj iff C JuJj, iff uJj C oJj (since tJj is upward-closed), iff 
uji C Wj. However, when i < j, (i, j) is in but not in Uj, so cJj ^p^ ado Uj. So (^Ji)ieN i s an 
infinite sequence of P(XR a do) from which one cannot extract any infinite ascending chain. 
Hence P(XR a do) is indeed not wqo. 

Let us characterize Xft a do- To this end, we exploit the fact that Jr^o = Idl(XR a do), 
and examine the structure of directed subsets of -XR a d - 

Lemma 4.1. The downward-closed directed subsets of X Rado, apart from those of the form 
4_(m, n), are of the form uji = {(i, n) \ n > i + 1} U {(m,n) £ Xj^ a( i \ n < i — 1}, or 

W = Xjiado- 



Proof. Take any downward-closed directed subset D of X^Ao- Consider the set I of all 
integers i such that some (i, n) is in D. If / is not bounded, then D = XR a do- Indeed, for 
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every (m, n) £ ^R a do> since / is not bounded, there is an (i,nf) £ D with i > n. Then 
(m,n) < (i,n'), so (m, n) £ D. 

If / is bounded, on the other hand, let i be the largest element of /. Then (i,i + 1) 
is in D: by assumption (i,n) is in D for some n > i + 1, hence (z,z + 1) also, since D is 
downward-closed. 

There cannot be any £ -D with i' < i and j' > i. That is, the rectangular area 

above the lower triangle of Wj, as shown in Figure |4j must be entirely outside D. Otherwise, 
since D is directed, there would be an £ D with (i,i + 1), <R a do (i">j")'i the 

case i" = i is impossible, since then (i',f) <R a do would imply i' = i" and j 1 < j" 

(impossible since i 1 < i), or j' < i" (impossible since then i < j' < i" = i); since i" 7^ i and 

+ 1) <R a do > i + 1) contradicting the maximality of i in i". 

On the other hand, since (i,i + 1) is in D, then the lower triangle of Wj, as shown in 
Figure |4j must be in D: these are the points (m,n) with n < i. 

If the set of natural numbers n such that (i, n) is in D is bounded, say by n max , then 
the only elements in D are those of the form with j < n max , and those of the form 

(m, n) with n < i. One checks easily that this is n max ) in X^^o- Otherwise, D contains 
every (i, n) with n > i + 1, and therefore D contains Wj. It cannot contain more, so D = cjj. 
Then one checks that is indeed directed and downward-closed. □ 

So XR ac jo = Idl(XR ac jo) is obtained by adjoining infinitely many elements cjq, wi, . . . , 
U)i, . . . , and a; to XR a do- They are ordered so that (i,n) < for all n > i + 1, < cj for 
all i £ N, and no other ordering relationship exists that involves one of the fresh elements. 
In particular, note that {uji \ i £ N} is an infinite antichain, whence XR a d = Idl(XRado) is 
not wqo: 

Proposition 4.2. Xn a( i contains an infinite chain, and is therefore not well-ordered by 
inclusion. O 



4.3. o; 2 -WSTS. Recall here the working definition in [Jan99j: a well-quasi-order X is uj 1 - 
wqo if and only if it does not contain an (isomorphic copy of) Xj^do] here we use Jancar's 
definition, as it is more tractable than the complex definition of |Mar94] . Jancar proved 
that X is uj 2 -wqo iff (p(x),<») is wqo, see e.g. |Jan99j . We show that the above is the only 
case that can go bad: 

Proposition 4.3. Let S be a well-quasi-order. Then S is well-quasi-ordered by inclusion iff 
S is td 2 -wqo. 

Proof. Recall that B\ <f^ ado B2 if and only if for every yi £ B2, there is y\ £ B\ with 
V\ <Rado V2- Note that B\ <j^ ado B2 if and only if \ B\ 3 |B 2 . Reformulate the previous 
result of Jancar |Jan99j by using the ordering <j^ a d : S is w 2 -wqo if and only if W(S) is 
well-ordered by ^j^. 

Recall that the Alexandroff topology on a poset is the collection of its upward-closed 
subsets; i.e., a subset is Alexandroff-open if and only if it is upward-closed. Write S a for 
S with its Alexandroff topology. Any set of the form \ B in S is Alexandroff-open (i.e., 
upward-closed), and any Alexandroff-open is of this form, with B finite, because S is well. 
In other words, the set 0{S a ) of all opens (upward-closed subsets) of S is well-ordered by 
reverse inclusion D if and only if S is o; 2 -wqo. 
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Recall that the Hoare powerdomain T-L(S a ) of S a is the set of all non-empty closed subsets 
of S a (the downward-closed subsets of S), ordered by inclusion. It follows that H(S a ) is well- 
ordered by inclusion D if and only if S is w 2 -wqo. Then we recall that 5 = S(S a ) is the 
subspace of T~L(S) consisting of all irreducible closed subsets |Gou07] . 

When S is w 2 -wqo, since T-L{S a ) is well-ordered by inclusion, the smaller set S = S(S a ) 
is also well-ordered by inclusion. 

Conversely, assume that S = S(S a ) is well-ordered by inclusion. If S was not w 2 -wqo, 
then it would contain a subset Y that is order-isomorphic to X R ac jo- Hence S = S(S a ) = 



Idl(S') would contain Y = Idl(Y). However by Proposition 4.2 Idl(Y) contains an infinite 



antichain: contradiction. □ 

Let an u 2 -WSTS be any WSTS whose underlying poset is w 2 -wqo. It follows: 

F """" 
Theorem 4.4. Let & = (S, — >, <) be afunctional WSTS. Then & is a (complete, functional) 

WSTS iff & is an co 2 -WSTS. ' □ 



4.4. Are w 2 -wqos Ubiquitous? -Ajt, a do is an example of a wqo that is not w 2 -wqo. It is 
natural to ask whether this is the norm or an exception. We claim that all wpos used in the 
verification literature are in fact cu 2 -wpo. 

Consider the following grammar of datatypes, which extends that of [FG09, Section 5] 
with the case of finite trees (last line): 

D ::= N natural numbers 

A< finite set A, ordered by < 

D\ x ... x Dk finite product 

D\ + . . . + Dk finite, disjoint sum (4.1) 

D* finite words 

D® finite multisets 

T(D) finite trees 

N is ordered with its usual ordering; the ordering < on the arbitrary finite set A is itself 
arbitrary. Finite products are ordered componentwise: given that each Di is ordered by 
<i, then the ordering < on D = D\ X . . . X is defined by (x\, . . . , Xk) < (yi, ■ ■ ■ , Uk) iff 
x\ <i yx and . . . and xt < Vk- Finite sums are ordered in the obvious way: the elements of 
£?i + ... + D/, are pairs (i, x) where 1 < i < k and x € Di, and (i, x) < (j, y) iff i = j and 
x < y. 

D* is the set of finite words over the (possibly infinite) alphabet D, and given that the 
ordering on D is <, D* is ordered by the divisibility ordering <*, defined by w <* w' iff, 
writing w as the sequence of letters a\a2 ■ ■ ■ a n , then w' is of the form ■ ■ ■ a' n w n , 

for some words wo, w\, . . . , w n , and some letters a^, 1 < i < n, such that aj < a[. 

D® is the set of finite multisets . . . , x n |} of elements of D. Write again < the 
ordering on D. Then D® is ordered by <® defined as: -Qxi, X2, ■ ■ ■ , x m |} <® flyi, y%, . . . , y n \} 
iff there is an injective map r : {l,...,m} —> {l,...,n} such that Xi < y r u\ for all i, 
1 < i < m. 

Note that <® is not the usual multiset extension < mul of <. However, for one, this is 
the < m quasi-ordering considered, on finite sets X, by Abdulla et al. [ADMN04b, Section 2] 
for example. Then, it turns out that m <® m! entails m < mul m' . In particular, the fact 
that <® is well, whenever < is, entails that < mul is well: given any sequence of multisets 
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(mj) igN , one can extract an infinite ascending chain with respect to <®, hence also with 
respect to < mul . Similarly, when (D®, <®) is an w 2 -wqo, then so is (D®,< mul ), using the 
fact that X is a; 2 -wqo iff both X and F(X) are wqo (the latter, equipped with <"). 

Finally, T{D) is the set of all finite (unranked, ordered) trees over function symbols 
taken from D. This is the smallest set X such that, for every / G D, for every t G D* , 
the pair (/, t) is in X. When t is the word consisting of the terms tit 2 ■ . .t m , we usually 
write (/, i) as the term f(t\,t2, • ■ • , t m ). Given an ordering < on D, the embedding ordering 
< emb on T(D) is defined by induction on the sum of the sizes of the terms to compare by: 
t = f(h,h, ■ ■ ■ ,t m ) < emb g(ui,U2, ■ ■ ■ , u n ) iff t < emb Uj for some j, 1 < j < n, or / < g and 
ht 2 ...t m {< emb T u lU2 ...u n . 



We will prove that every datatype defined in (4.1) is not only oj -wqo but a better 
quasi-ordering (bqo). Better quasi-orderings were invented by Nash- Williams to overcome 
certain limitations of wqo theory |NW65] , Their definition is complex, and we shall omit 
it. For short, X is bqo iff F UJl (X) is wqo, where u>i is the first uncountable ordinal, F a (X) 
is defined for every ordinal a by F°(X) = X, F a+1 = F(F a (X)), F a (X) = {J p<a F P {X) for 
every limit ordinal a, and where powersets are quasi-ordered by <". Abdulla and Nylen give 
a gentle introduction to the theory of bqos |AN00| . 

Then: 



Proposition 4.5. Every datatype defined in (4-1) is u -wqo, and in fact bqo. 

Proof. Every bqo is w 2 -wqo, as the above characterization shows (F a (X) is wqo for all 
a < U\, hence certainly for a = and a = 1). Any finite ordered set, any finite union of 
bqos, any finite product of bqos is bqo [Mil85j. When D is bqo, the set of all ordinal-indexed 
sequences over D is again bqo under an obvious extension of the divisibility ordering, see 
|NW65j or |Mil851 2.22]. Since any subset of a bqo is again bqo, we deduce that D* is bqo 
whenever D is (this is also mentioned in |AN00| Theorem 3.1 (3)]). When D is bqo, D® is 
proved to be a bqo in |AN001 Theorem 3.1 (4)]. Finally, D is bqo implies that T{D) is bqo 
by |Lav711 Theorem 2.2]; Laver in fact shows that the class of so-called Q-trees is bqo under 
tree embedding as soon as Q is, where a Q-tree is a possibly infinitely branching tree with 
branches of length at most u whose nodes are labeled with elements of Q. □ 

In fact, all naturally occurring wqos are bqos, perhaps to the notable exception of finite 
graphs quasi-ordered by the graph minor relation, which are wqo [RS04J but not known to 
be bqo. 

4.5. Effective Complete WSTS. The completion & of a WSTS 6 is effective iff the 
completion S of the set of states is effective and Sf is recursive for all / G F. S is effective 
for all the data types of |FG091 Section 5^ Also, Sf is indeed recursive for all / G F, whether 
in Petri nets, functional-lossy channel systems, and reset/transfer Petri nets notably. 

In the case of ordinary or reset /transfer Petri net s, and in general for all affine counter 



systems (which we shall investigate from Definition 6.2 on), Sf coincides with the extension / 
defined in |FMP04| Section 2] : whenever dom / is upward-closed and / : N fc — > N fc is defined 
by f(s) = As + a, for some matrix A G N fcxfc and vector a G Z fc , then dom Sf = fsdom/, 



^That is, of Section 



4.4 



of this paper, see (4.1l, to the exception of the finite tree constructor. We have 



a proof that 5* is in fact effective for all the data types of (4.1 1 F G12| . but this is not published yet 
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and S(f)(s) is again denned as As + a, this time for all s E N^, and using the convention 
that x u = when computing the matrix product As [FMP04, Theorem 7.9]. 

In the case of functional-lossy channel systems, it is easy to see that dom<S(send a ) = S, 
5(send a )(P) = Par for every word-product P; and that dom5(recv a ) = ts a? > and: 

5(recv a )(a ? P) = P 

S(recv a )(b ? P) = S(recv a )(P) (b + a) 
S(recv a )(A*P) = A* P if a £ A 
S(recv a )(A*P) = S(zecv a )(P) otherwise 
These formulae in fact work whenever letters are taken from an alphabet that is wqo; for 



example, any of the data types D of (4.1). We retrieve the formulae of [ABJ981 Lemma 6], 
which were proved in the case where the alphabet D is finite, with = as ordering. This also 
generalizes the algorithms on the so-called word language generators of |ADMN04aJ, which 
are elements of (A®)* with A finite. 
As promised, we can now show: 

Proposition 4.6. There are effective complete WSTS & such that the map Clover^ : S — > 
Ffi n (S) is not recursive. 

Proof. Let 6 be the completion of a functional-lossy channel system |FG09| Section 6] on 
the message alphabet S. By Theorem |4,4[ & is a complete WSTS. It is effective, too, see 
above or [ABJ98, Lemma 6]. CloverQ(so) can be written as a finite set of tuples, consisting 
of control states qi (one for each of the communicating automata) and of word-products Pj 
(one for each channel). Each Pj is a product of atomic expressions A* (A E Pfi n (S), A fi) or 
or (a E £). Now Posig(so) is finite iff none of these atomic expressions is of the form A*. So, 
if we could compute Cloverg(so), this would allow us to decide boundedness for functional- 
lossy channel systems. However functional-lossy channel systems are equivalent to lossy 
channel systems in this respect, and boundedness is undecidable for the latter [CFP96J. We 
could have played the same argument with reset Petri nets |DFS98] instead as well. □ 



5. A Conceptual Karp-Miller Procedure 

There are some advantages in using a forward procedure to compute (part of) the clover for 
solving cover ability. For depth-bounded processes, a fragment of the 7r-calculus, the simple 
algorithm tha t works b ackward (computing the set of predecessors of an upward-closed 
initial set) of |ACJT00| is not applicable when the maximal depth of configurations is not 
known in advance because, in this case, the predecessor configurations are not effectively 
computable [WZH10J. It has been also proved that, unlike backward algorithms (which 
solve coverability without computing the clover), the Expand, Enlarge and Check forward 
algorithm of [GRvB07j, which operates on complete WSTS, solves coverability by computing 
a sufficient part of the clover, even though the depth of the process is not known a priori 
[WZH10J. Recently, Zufferey, Wies and Henzinger proposed to compute a part of the clover 
by using a particular widening, called a set-widening operator [ZWH12J, which loses some 
information, but always terminates and seems sufficiently precise to compute the clover in 
various case studies. 

The Petri net case also gives complexity-theoretic insights. Solving coverability in Petri 
nets can be done by using Rackoff's forward procedure |Rac78] . or the backward procedure 
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|BG11| . Both work in EXPSPACE — the complexity of the forward coverability procedure 
of [GRvB07j is not known. On the other hand, the complexity of computing the clover is 
not primitive recursive for Petri nets |MM81] . 

Model-checking safety properties of WSTS can be reduced to coverability, but there are 
other properties, such as boundedness (is Posig(s) finite?) and U -boundedness (is Post 6 (s)n 
U finite?) that cannot be reduced to coverability: [/-boundedness is decidable for Petri 
nets and for Vector Addition Systems but undecidable for Reset Vector Addition Systems 
[DFS98J, and for Lossy Channel Systems |May03a ], hence for general WSTS. 

Recall that being able to compute the clover allows one to decide not only coverability 
since s (>;—>■*;>) t iff t £ Cowerg(s) iff 3t' G CloverQ(s) such that t < t' but also 
boundedness, [/-boundedness and place-boundedness. To the best of our knowledge, the only 
known algorithms that decide place-boundedness (and also some formal language properties 
such as regularity and context-freeness of Petri net languages) require one to compute the 
clover. 

Another argument in favor of computing clovers is Emerson and Namjoshi's [EN98J 
approach to model-checking liveness properties of WSTS, which uses a finite (coverability) 
graph based on the clover. Since WSTS enjoy the finite path property ( [EN98] , Definition 7), 
model-checking liveness properties is decidable for complete WSTS for which the clover is 
computable. 

All these reasons motivate us to try to compute the clover for classes of complete WSTS, 
even though it is not computable in general. 

The key to designing some form of a Karp-Miller procedure, such as the generalized 



Karp-Miller tree procedure (Section 4.1) or the Clover© procedure below is being able to 
compute lub-accelerations. Hence: 

Definition 5.1 (oo-Effective). An effective complete functional WSTS & = (S,—>,<) is 
oo-effective iff every function g°° is computable, for every g S F* , where F* is the set of all 
compositions of maps in F. 

E.g., the completion of a Petri net is oo-effective: not only is a wpo, but every 
composition of transitions g G F* is of the form g(x) = x + 5, where 5 € If x < g(x) 
then 5 G N k \ {0}. Write Xi the ith component of x, it follows that g°°(x) is the tuple whose 
ith component is Xi if 5i = 0, U) otherwise. 

Let <5 be an oo- effective WSTS, and write A < b B iff \,A C \,B, i.e., iff every element 
of A is below some element of B. This is the Hoare quasi- ordering, also known as the 
domination quasi-ordering. The following is a simple procedure which computes the clover 
of its input so £ S (when it terminates): 

Procedure Clovere(so) : 

1. A*- {s }; 

2. while Post e (A) ^ A do 

(a) Choose fairly (see below) (g, a) £ F* x A such that a £ dom g; 

( b ) A^Au{g™(a)}; 

3. return Max A; 

Note that Clovere is well-defined and all its lines are computable by assumption, 
provided we make clear what we mean by fair choice in line (a). Call A m the value of A at 
the start of the (m— l)st turn of the loop at step 2 (so in particular Aq = {sq})- The choice 
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at line (a) is fair iff, on every infinite execution, every pair (g, a) G F* x A m will be picked 
at some later stage n > m. 

A possible implementation of this fair choice is the generalized Karp-Miller tree con- 



struction of Section 4.1 organize the states of A as labeling nodes of a tree that we grow. 
At step m, A m is the set of leaves of the tree, and case (*) of the generalized Karp-Miller 
tree construction ensures that all pairs (g, a) G F* x A m will eventually be picked for con- 
sideration. However, the generalized Karp-Miller tree construction does some useless work, 
e.g., when two nodes of the tree bear the same label. 

Most existing proposals for generalizing the Karp-Miller construction do build such a tree 
[KM691 IFin90l IFin93| lGRvB07j . or a graph |EN98j . We claim that this is mere algorithmic 
support for ensuring fairness, and that the goal of such procedures is to compute a finite 
representation of the cover. Our Clovere procedure computes the clover, which is the 
minimal such representation, and isolates algorithmic details from the core construction. 

We shall also see that termination of Clovers nas strong ties with the theory of flatten- 
ing [BFLS05J. However, Bardin et al. require one to enumerate sets of the form g*(x), which 
is sometimes harder than computing the single element g°°(x). For example, if g : N k — > N k 
is an afiine map g(x) = Ax + b — a for some matrix A G N fcxfc a nd v ectors a, b G N k , then 



g°°(x) is computable as a vector in N*, as we have seen in Section 4.5 But g*(x) is not even 
definable by a Presburger formula in general, in fact even when g is a composition of Petri 
net transitions; this is because reachability sets of Petri nets are not semi-linear in general 
[HP79] , 

Finally, we use a fixpoint test (line 2) that is not in the Karp-Miller algorithm; and this 
improvement allows Clovere to terminate in more cases than the Karp-Miller procedure 
when it is used for extended Petri nets (for reset Petri nets for instance, which are a special 
case of the afiine maps above), as we shall see. To decide whether the current set A, 
which is always an under-approximation of Clover<g(so), is the clover, it is enough to decide 
whether Post 6 (A) < b A, The various Karp-Miller procedures only test each branch of a 
tree separately, to the partial exception of the minimal coverability tree algorithm |Fin90| 
and Geeraerts et aVs recent coverability algorithm [GRvB07j, which compare nodes across 
branches. That the simple test PostQ (A) <' A does all this at once does not seem to have 
been observed until now. 



5.1. Correctness and Termination of the Clover Procedure. By Proposition 4.6 we 
cannot hope to have Clovere terminate on all inputs. But we can at least start by showing 
that it is correct, whenever it terminates. This will be Theorem |5 . 5 1 below . 

We first show that if Clovere terminates then the computed set A is contained in 
Lub(Postg(so))- It is crucial that hub(F) = cl{F) for any downward-closed set F, which 
holds because the state space S is a continuous dcpo. We use this through invocations to 



Proposition 3.7 



F 

Lemma 5.2. Let & = (S, —*■,<) be a complete (functional) WSTS. For any subset A of 
states, Post* e (cl(A)) C cl(Post* 6 (A)). 

Proof We first observe that Post<s(cl (A)) C cl(Post&(A)). Indeed, for any s G PostQ(cl(A)), 
there is an / G F and some t G dom/ n cl(A) such that f(t) = s. Let U be the comple- 
ment of cl(Postt$(A)): U is open by definition. Since / is partial continuous, / -1 ([7) is 
open. If s were in U, then t would be in / _1 (?7), and in cl(A). It is a general property of 
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topological spaces that an open (here / 1 (U)) meets cl(A) iff it meets A. So there is also 
a state t' in /^(U) n A. That is, t' G dom/, /(*') G U and t' G A. But i' G ^4 implies 
/(£') G Posi©(^4) C cl(PostQ(A)), contradicting the fact that fit 1 ) £ U. So s cannot be in 
U, i.e., s G cliPosteiA)). 

By an easy induction on k G N, it follows that Postg(c/(A)) C cZ(Postg(^4)), hence 
that Posted (A)) C d(Pos^(A)). □ 

Proposition 5.3. Lei 6 be an co-effective complete functional transition system and A n be 
the value of the set A, computed by the procedure Clover© on input sq, after n iterations of 
the while statement at line 2. Then A n is finite, and A n < b A n +\ < b Clover eiso) , for every 
n G N. 



Proof. It is obvious that A n is finite. Also, the inclusion A n C J,yl n _|_i is clear, and entails 
A < b A , n 

We show that A n < b C7ot;er©(so), i.e., that A n C \,Clover&{so), by induction on n. 



By Proposition 3.7 it is equivalent to show that A n C cliCov er©(so))- 
If n = 0, Ao = {so}) so A) ^ Cover&(so) Q c/ (Cover© (so))- 

Assume A n C c£(Ccwer©(so))) an d let us prove that A n+ \ C c/(Covere(so)). Let (5,0) 
be the selected pair at line (a). We must show that g°°(a) G c/ (Cover© (so))- 

Ha ■ft 5(a), then <7°°(a) = 5(a) is in Postg(a), and since a G ^4 n and A„ C cZ(Couer©(so)) 
by induction hypothesis, 3(a) is in Postg(c/(Cewer6(so)))- The latter is contained in 



clip 'ostgiC 'over '©(so))) by Lemma 5.2 i.e., in d(Cover<g(so)) by monotonicity. 

If a < then <?°°(a) = lub{g"(a) | n G N} is a least upper bound of a directed chain 
of elements in Postg(a). So g°°(a) G Lub(Posig(a)) C cliPost* & ia)). Since a G A n and 

C c£(Cover©(so)) by induction hypothesis, g°°ia) is in d(Post 6 (c/(Couere(so)))). The 



latter is contained in c/(c/(Posij!~(Ccwere(so)))) = cliPost* & iCov er©(so))) by Lemma 5.2 
i.e., in cZ(Cover©(so)) by monotonicity. I I 

If the procedure Clover© does not stop, it will compute an infinite sequence of sets of 
states. In other words, Clover© does not deadlock. This is the progress property mentioned 
in Section [4.11 



Proposition 5.4 (Progress). Let & be an cg- effective complete functional W^STS and A n 
be the value of the set A, computed by the procedure Clover© on input sq, after n iterations 
of the while statement at line 2. If\J n A n is finite, then the procedure Clover© terminates 
on input sq. 

Proof Assume Clover© does not stop on input so, but A = |J n A n is finite. Since A n < b 
A n +i, there is an index m such that A n = A m for all n > m; also A = A m . Let (g, a) G 
F* x A be arbitrary. We shall show that g(a) <" A, i.e., there is an element a' G A such 
that g (a) < a'. Since a G A m , by fairness there is an n G N with n > m such that 
ig, a) is picked at line (a) after n iterations of the loop. Then g°°ia) < b A n+ \ = A, so 
g(a) < g°°(a) < b A n+1 = A. It follows that Post^(A) < b A, so Post s iA) < b A, hence the 
procedure must stop after m turns of the loop: contradiction. The converse implication is 
obvious. O 

While Clover© is non-deterministic, this is don't care non- determinism: if one execution 
does not terminate, then no execution terminates. If Clover© terminates, then it computes 
the clover, and if it does not terminate, then at each step n, the set A n is contained in the 
clover. Let us recall that A n < b A n+ \. We can now prove: 
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Theorem 5.5 (Correctness). If Cloverg(so) terminates, then it computes Clover q{sq). 

Proof. If Clover© terminates, then it returns a set Max A such that PostQ(A) < b A, 
i.e., PostQ(A) C \.A. By monotonicity, it follows that Posted A) C \.A, hence that 
^PostQ^ A) C \.A. Note that J, A = J, Max A, since ^4 is finite. It follows that Cover© (s) 
is contained in J-Max^ for a ny s G J, A 



However, by Proposition |5.3[ {s } = A < b A < b • • • <^ A n < b . . . < b A, so s G |A 
So Cover© (so) C J, Max A 

Since j4 is finite, Max A is, too, so ^MaxA is closed. Any closed set containing another 
set must contain its closure. So ^MaxA must also contain cl{Cover<$(so)). By Proposi- 
tion 3.7 4-MaxA must therefore co ntai n ^ Clover<s(so). In other words, CloverQ(so) <" 
MaxA However, using Proposition 5.3 again, MaxA < b A < b CZot>er©(so)- So Max^L = 



Clovere(so). □ 



If the generalized Karp-Miller tree procedure (see Section 4.1) terminates then it has 
found a finite set g%, g2, ■ g n °f maps to lub-accelerate. These lub-accelerations will also 
be found by Clover©, by fairness. From the fixpoint test, Clover© will also stop. So 
Clover© terminates on at least all inputs where the generalized Karp-Miller tree procedure 
terminates. We can say more: 

Proposition 5.6. The procedure Clover© terminates on strictly more input states sq G S 
than the generalized Karp-Miller tree procedure. 

Proof. Consider the reset Petri net of |DFS981 Example 3] again (Figure [3]). Add a new 
transition £5(711, n 2, 1^3, 714) = {n\ + 1, 712 + l,7i3 + 1,714+ !)■ The generalized Karp-Miller 
procedure does not terminate on this modified reset Petri net starting from sq = (1, 1, 0, 0), 



because it already does not terminate on the smaller one of Section 4.1 On the other hand, 
by fairness, Clover© will sooner or later decide to pick a pair of the form (£5,0) at line 
(a), and then immediately terminate with the maximal state (u),lj,uj,uj), which is the sole 
element of the clover. O 

Deciding when Clover© terminates is itself impossible. We first observe that Clover© 
terminates on each bounded state. 

Lemma 5.7. Let S = (5,—)-) be an oo-effective complete WSTS, and so G S a state 
that is bounded, i.e., such that the reachability set Posig(so) is finite. Then Clover© (sq) 
terminates. 

Proof. Since Postg(so) is finite, g°°(s) is in Post 6 (so) for every s G Posi@(so) and every 
g G F* with s G dom g. So, defining again A n as the value of the set A computed by Clover© 
on input sq, after n iterations of the while statement at line 2, |J ngN A^ is contained in 



-Postg(so), hence finite. By Proposition 5.4 Clover©(so) terminates. O 



Proposition 5.8. There is an oo-effective complete WSTS such that we cannot decide, given 
So G S, whether Clover© (so) will terminate. 

Proof. Assume we can decide whether Clover© (sq) terminates. 



If Clover©(so) does not terminate, then Post e (so) is infinite, by Lemma 5.7 



If on the other hand Clover© (sq) terminates, then it computes the clover CloverQ(so) 



by Theorem |5.5| and we can decide boundedness as in the proof of Proposition 4.6 in the case 
of functional-lossy channel systems: just check whether any of the computed word-products 
contains a starred atomic expression A* . 
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Figure 5: Flattening 



In any case, we can decide boundedness, i.e., whether Postg(so) is finite. But this 
is impossible [CFP96, May03b|. A similar argument works with reset Petri nets, where 
boundedness is also undecidable [DF S98j . D 



5.2. Clover-Flattable Complete WSTS. We now characterize those oo-effective com- 
plete WSTS on which Clover© terminates. 

F 

A functional transition system (©,—)•) with initial state so is flat iff there are finitely 
many words w\, W2, Wk G F* such that any fireable sequence of transitions from so is 
contained in the language w\w2---W%- (We equate functions in F with letters from the 
alphabet F.) corresponding composition of maps, i.e., fg denotes g o /.) Ginsburg and 
Spanier [GS64J call this a bounded language, and show that it is decidable whether any 
context-free language is flat. 

Not all systems of interest are flat. The simplest example of a non-flat system has one 

state q and two transitions q—tq and q\q. 

For an arbitrary system S, flattening [BFLS05J consists in finding a flat system S' , 
equivalent to S with respect to reachability, and in computing on S' instead of S. We adapt 
the definition in [BFLS05J to functional transition systems, without an explicit finite control 
graph for now (but see Definition 5.15). 

Definition 5.9 (Flattening). A flattening of a functional transition system 62 = (£2,-^) 
is a pair (©1,99), where: 
F 

(1) ©i = (Si, -4) is a flat functional transition system; 

(2) and cp : ©1 — > 62 is a morphism of transition systems. That is, (f is a pair of two maps, 
both written ip, from Si to S2 and from F\ to F2, such that for all (s, s') G S%, for all 
fi G F\ such that s G dom/i and s' = fi(s), (p(s) G domy?(/i) and <p(s') = ip(fi)(ip(s)) 
(see Figure |5]). 

Let us recall that a pair (6,so) of a transition system and a state is Post* -flattable iff 
there is a flattening ©1 of © and a state s\ of ©1 such that (p(s\) = sq and Postg(so) = 
^(Post* 6i ( Sl )). 

F 

Recall that we equate ordered functional transition systems (S, — >, <) with their under- 

lying function transition system (S,—>). The notion of flattening then extends to ordered 
functional transition systems. However, it is then natural to consider monotonic flattenings, 
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where in addition ip : Si — > S2 is monotonic. In the case of complete transition systems, the 
natural extension requires <p to be continuous: 

Definition 5.10 (Continuous Flattening). Let 62 = OS's? ^2) be a complete transition 
system. A flattening (©1,99) of ©2 is continuous iff: 
F 

(1) ©i = (S±,—f, <i) is a complete transition system; 

(2) and if : S\ — > S2 is continuous. 

Definition 5.11 (Clover-Flattable). Let © be a complete transition system, and so be a 
state. We say that (©,sq) is clover- flattable iff there is an continuous flattening (©1,99) of 
6, and a state s± of ©1 such that: 

(1) ip(si) = sq (ip maps initial states to initial states); 

(2) cl(CoverQ{so)) = cl(ip(cl(CoverQ 1 (si)))) (p preserves the closures of the covers of the 
initial states). 

On complete WSTS — our object of study — , the second condition can be simplified to 



4. Clover q(sq) = ] r (p(CloverQ 1 (si)) (using Proposition 3.7 and the fact that ip, as a con- 
tinuous map, is monotonic), or equivalently to CloverQ(so) = Max ip{CloverQ 1 (s\)) . Recall 

also that, when © is the completion X of a WSTS X = (X, —>,<), the clover of sq G X 



is a finite description of the cover of sq in X (Proposition 3.9), and this is what ip should 
preserve, up to taking downward closures. 

There are apparently weaker and stronger froms of clover-flattability, which we now 
introduce. Let us start with the weak form, where equality in the second condition is 
replaced by inclusion: 

Definition 5.12 (Weakly Clover-Flattable). Let © be a complete transition system, and sq 
be a state. We say that (6, sq) is weakly clover- flattable iff there is an continuous flattening 
(©i, ip) of ©, and a state s% of ©1 such that: 

(1) tf(si) < s ; 

(2) and cl (Cover<& (sq)) C cl(ip(cl(Covere 1 (si)))). 

One may simplify the second condition slightly, to: CoverQ(so) Q cl((p{cl(CoverQ 1 (si)))) . 
In the case of complete WSTS, this is equivalent to Clovere(so) < b ip(Clovere 1 (sx)). 

The strong form of clover-flattability uses an explicit finite control graph, as in [BFLS05J. 
Recall that a rlre (restricted linear regular expression) over the alphabet E is a regular 
expression of the form w\w2~-wZ, where ivi, W2, Wk G S*. The language of an rlre is 
clearly bounded, and the language Pfx(u;*u>2 . . . wt) of prefixes of all words from the latter 
is then again bounded [GS64J. 

Recall that a deterministic finite automaton (DFA) is a tuple A = (H,Q,6,qo,Fin), 
where S is a finite alphabet, Q is a finite set of so-called control states, qo G Q is the initial 
state, Fin C Q is the set of final states, and (5:QxE->Qisa partial function called the 
transition function. 

One can convert any rlre to a DFA recognizing the same language. For example, Figure[6] 
displays a DFA for a* (bcc)* (bcaa)* over X = {a,b,c}, where final states are circled. The 
language Pfx(a* (bcc)* (bcaa)*) is then recognized by the same DFA, except that now all 
states are final. 

This is general: Pfx(w*w*, . . . w^.) is always recognizable by a DFA whose states are all 
final. Let us therefore call rl- automaton any such DFA. Since all states are final, we shall 
omit the Fin component, and say that A = (X, Q, S, qo) itself is an rl-automaton. 
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Figure 6: An rl-automaton 
Let us define the synchronized product. 

F 

Definition 5.13 (Synchronized Product). Let & = (S,—t,<) be a complete functional 
transition system, and A = (F, Q, S, qo) be an rl-automaton on the same alphabet F. 

Define the synchronized product & x A as the ordered functional transition system 

(S x Q, — >, <'), where F' is the collection of all partial maps / X 8 : (s, q) i-> ( f(s),S(q, /)), 
for each / G F such that S(q, /) is defined for some q e Q. Let also (s, q) <' (s', q') iff s < s' 
and q = q' . 

Let 7Ti be the morphism of transition systems defined as first projection on states; i.e., 
ni{s, q) = s for all (s, q) G S X Q, 7Ti(/ XI 5) = / for all f € F. 

F 

Lemma 5.14 (Synchronized Product). Let © = (S, — >, <) 6e a complete functional transi- 
tion system, and A = (F, Q, 5, qo) be an rl-automaton on the same alphabet F. 
Then (6 x A, 7Ti) is a continuous flattening of &. 

Proof First, the technical condition that S(q, f) should be defined for some q G Q only 
excludes maps / txi 6 with an empty domain, and is therefore benign. This technical 
condition is needed to define 7Ti(/ X 5) as /: formally, we define ni(f') for any /' G F' by 
letting 7Ti(/')(s) be the first component of the pair f'(s, q), where q is some arbitrary state 
such that S(q, f) is defined, and let 7Ti(/')(s) be undefined otherwise; when /' = / ixi S, such 
a q exists by the technical condition, and this will yield f(s) when s G dom/, and will be 
undefined otherwise. So indeed ni(f X 5) = f. 

(S x Q, <') is easily seen to be a dcpo. In fact, it is the disjoint sum of finitely many 
copies of S, and as such, is a continuous dcpo. It is also well-ordered, as a finite disjoint 
sum of well-ordered spaces. So S x Q is a continuous dcwo. Then we check that / X 5 is 
partial continuous. Its domain is \J qe q dom/ x {q}, which is open. Moreover / X 5 

5(q,f) defined 

is clearly continuous for every / G F: for any directed family (si,qi) ieI in dom(/ X 5), first 
all qiS must be equal, say qi = q G Q, and second (sj) i6 j must be directed in dom/. So 
/(lub{s< | i G J}) = lub{/(si) | t G /}, whence (/ x <5)(lub{(si,g) | i G /}) = (lub{/(sj) | 
i G I},5(q,f)) = lub{(/ X S)(si,q) \ i G /}. That wi is continuous is clear as well. 

Finally, the language of fireable transitions in 6 x A is contained in the language of A, 
which is of the form Pfx^Ju^ • • • w* k ), hence bounded. So & x A is flat. □ 
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Strong flattenings are special: the decision to take the next action / £ F from state 
(s,q) is dictated by the current control state q only, while ordinary flattenings allow more 
complex decisions to be made. 

We say that a transition system is strongly clover-flattable iff we can require that the flat 
system ©i is a synchronized product, and the continuous morphism of transition systems (p 
is first projection 

Definition 5.15 (Strongly Clover-Flattable). Let 6 = (S,— >■) be a complete functional 
transition system. We say that (6, sq) is strongly clover-flattable iff there is an rl-automaton 
A, say with initial state go, such that cl{Cover<s(so)) = cl(7Ti(cl(Covere X A( s o, Qo))))- 

The following is then obvious. 

Lemma 5.16. On complete functional transition systems, the implications "strongly clover- 
flattable" =^> "clover-flattable" =^ "weakly clover-flattable" hold. O 

It is also easy to show that "weakly clover-flattable" also implies "clover-flattable". How- 
ever, we shall show something more general in Theorem |5 . 2 1 1 below . 



We show in Proposition 5.18 that Clovere(so) can only terminate when (&,sq) is 
strongly clover-flattable. We shall require the following lemma. For notational simplicity, 
we equate words g\g2 with compositions 52 ° <?i- 

Lemma 5.17. Let & = (S, — >) be a complete functional transition system, and so £ 
F. Assume gi 00 g2 0C ■ ■ • AW 00 (so) is defined, and in some open subset U of S, for some 
9i, 92, ■ ■ ■ j 9n £ F- Then there are natural numbers k%, k^, ■ ■ ■ , k n such that g^g^ 2 ■ ■ ■ 9n n ( s o) 
is defined, and in U. 

Proof By induction on n. This is clear if n = 0. Otherwise, let s = gi 00 g2 00 ■ ■ • S , n-i°°(so)) 
so that gn^is) is defined and in U. If s < g n (s), then gn 00 ^) = lub{g^(s) \ k G N}. That the 
latter is in the Scott-open U implies that g^ l n {s) is in U for some fc n eR. If s -ft g n {s), then 
fln°( s ) = 9n(s), and we take k n = 1. Let V be the open (g^™) (^7). (Note that, whereas 
g n °° is not partial continuous in general, 5^™ is.) So s = gi 00 g2 00 ■ ■ ■ dn-i 00 {so) is m V, in 
each case. We apply the induction hypothesis and obtain the existence of k%, k2, ■ ■ ■ , k n ^\ 
such that g^x g^2 ■ ■ -9n-i( s o) is defined and in V. Hence g^g^ 2 ■ ■ -9n n ( s o) is defined, and in 
U, by definition of V. D 

Proposition 5.18. Let & be an 00- effective complete WSTS. If Clover q terminates on sq, 
then (6, So) is strongly clover-flattable. 

Proof. Write & as (S, — >, <). Assume that Cloverg terminates on sq- Then it returns some 



finite set A such that A = Clover<${so) by Theorem 5.5 Enumerate the elements a\, . . . , 
ak of A. Each element of A, 1 < i < k, is obtained as gn co gi2 co ■ ■ -gin^iso), where each 
gij is in F*. 

Build a DFA for the language £ = 5 | l5 | 2 . . . g* lni g* 2l g*22 ■ ■ ■ 9*2n 2 ■ ■ ■ 9* kl 9* k 2 ■ ■ ■ 9* knk - Make 
all its states final, so as to obtain an rl-automaton A, with initial state go- 

We must show that cl(CoverQ(so)) = cl(ni(cl(Covere x ^(so, qo)))), i-e., that I A = 
cl(7ti(Cover 6xA (so,qo))}). 

The inclusion from right to left is obvious: for any state (s, q) that is reachable from 
4( s Cb<?o) in © x A, s is reachable from |so m ©■ So 7Ti(Postg(4 sq)) C Postg x _ 4 (|(so, go))- 
Taking downward closures yields 7Ti(Ccwerg(so)} ^ CoverQ X ^(so, qo), and taking closures 
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yields cl(TTi(Covere x ^(so, qo)))) Q cl(Cover* &x j^(so,qo)) = I A (using Theorem 5.5 and 
Proposition 3.7). 

The other inclusion reduces to showing that for every i, 1 < i < k, the ith element 
m of A is in cl(7Ti{Covere x j^(so, qo)))) ■ It is equivalent to show that every open subset U 
containing o« intersects 7Ti{Covere X A( s 0, Qo))) ■ By Lemma 5.17 there are natural numbers 
ki, k 2 , . . ■ , k ni such that g^g^ ■ ■ ■ S^( s o) is defined and in U. Since the word g^g^ ■ ■ ■ 9^ 
is in the language C, g^g^ ■ ■ -9in( s o) i s the ^ rs ^ component of some pair reachable from 
(so, qo) in 6 xA. In particular, g^g^ ■ ■ ■ g\n (so) is in 7ri(CoverQ X j((so, qo)))- So U intersects 
Tri(Cover& X A(so, qo))), as claimed. □ 

We now loop the loop and show that Clover© terminates on sq whenever (<5,so) is 
weakly clover-flattable (Theorem 5.21| below). This may seem obvious. In particular, if 
(6, so) is clover-flattable, then accelerate along the loops from ©i, where (Si, ip is a contin- 
uous flattening of 6. The difficulty is that we cannot actually choose to accelerate whenever 
we want: the Clover© procedure decides by itself when it should accelerate, independently 
of any flattening whatsoever. 

There is an added difficulty, in the sense that one should also check that lub-accelerations, 
as they are used in Clover©, are enough to reach all required least upper bounds. The key 
point is the following lemma, which asserts the existence of finitely many subsequences 
gVj+^ij^s), f £ N, whose exponents form infinite arithmetic progressions, and which gen- 
erate all possible limits of directed families of elements of the form g n (s), n E N, except 
possibly for finitely many isolated points. 

This is the point in our study where progress is needed. Indeed, we require S to be wpo 
to pick k and m in the proof below. 

Lemma 5.19. Let S be a dcwo, g : S — )• S a partial monotonic map, and s S S. Consider 
the family G of all elements of the form g n (s), for those n E N such that this is defined. 
Then there are finitely many directed subfamilies Gq, G\, . . . , G m -\ of G such that: 

(1) cl(G) = UJTo 1 cl(Gj) = |{lub(C ),lub(G' 1 ), . . . ,lub(G m _i)}; 

(2) each Gj is either a one-element set {g Pj (s)} ; where pj £ N, or is a chain of the form 
{ g Pi+^(s) | 1 G N}, where Pj E N, qj E N \ {0} 7 and g p i(s) < g p > +q >(s); 

(3) for every j , < j < m, s g Pj (s). 

Proof First, the claim is obvious if G is finite, in which case we just take G\, . . . , G m to 
consist of the sets {s\}, . . . , {s m }, where G = {si, . . . , s m }. Write Sj as g Pj (s), and note that 
it cannot be the case that s < g Pj (s), otherwise g ipj (s) would be defined for all i E N (an 
easy induction on i, using the fact that the domain of g Pj is upward-closed), contradicting 
the fact that G is finite. So condition (3) holds. 

So assume G is infinite, i.e., g n (s) is defined for arbitrarily large values of n. Whenever 
g n (s) is defined, g m (s) is, too, for all m < n. So g n (s) is defined for all n E N, and 
G = {g n (s) | n E N}. Since S is wpo, for some k, m E N with k < m, g k (s) < g m (s). We 
pick a minimal k such that g k (s) < g m (s) for some m > k; and given k, we pick a minimal 
m > k such that g k (s) < g m (s). 

Let Go = {s}, Gi = {g(s)}, G fc _x = {g^Hs)}, G k = {^+*(— | i E N}, 
G k+l = {g k + l + i ( m - k )( s ) | i E N}, . . . , G m _i = {g m - 1 + i ( m - k )( s ) I i e N}. 

Each Gj is directed. This is clear when j < k. Otherwise, since g k (s) < g m (s) and g 
is partial monotonic, we obtain g^+ i ( m - k )( s ) = g^ k+l(m - k \g k (s)) < gi- k+i ( m - k \g m (s)) = 
gj+(%+l)(m-k) g Q q. = ^gj+%(m-k) ( s )) i N is an increasing chain. 



COMPLETE WSTS 



27 



Let us establish condition (1). First, G = \Sj=o Gj. m particular, Gj C G, so cl(Gj) C 



Condition (2) is satisfied: Gj is a one-element set when < j < k, or when k < j < m 
and gi(s) = gi +m ~ k (s) 1 i.e., when the first two elements of Gj are equal; indeed, in the 
latter case gj+^ m - k ){ s ) = g i{m ~ k) {g j {s)) = g i i m - k )(gi+ m - k ( s )) = gi+( i + 1 K™->')(s), so all 
elements of the sequence coincide. Otherwise, i.e., if k < j < m and gi(s) ^ gi +m ~ k {s) (in 
which case g>(s) < g j+m ~ k (s), since gi +i ( m - k )(s) < gi+( i+1 )( m - k )(s) for all i), let pj = j 
and qj = m — k. 

d(G) for all j, whence U^To* ^ c/ ( G )- 

Next, let Sj = lub(Gj) for all j, < j < m. This exists because Gj is a chain, hence is 
directed, and S is a dcpo. The finite union {J™=q 4- Sj is closed, and contains Uj^o 1 = ^ 
so it contains cl(G). Conversely, the definition of Sj makes it clear that Sj G c/(Gj) C c/(G). 
So cl(G) = \J™~ Isj = |{s ,si, . . . ,s m _i}. 

Take any element x in cl(G). Since x G cl(G), x < Sj for some j, < j < m. However, 
Sj G cl(Gj), and cl(Gj) is downward-closed, so x G UjS) 1 cl(Gj). So c/(G) C UjlV cZ(Gj). 
So condition (1) holds. 

Finally, assume condition (3) failed. Then s < g 3 {s) for some j, < j < m. Certainly 
j ^ 0, since g°(s) = s. By the minimality of k such that g k (s) < g m (s) for some m > k, 
k = 0. By the minimality of m, m < j. But this contradicts j < m. D 

Proposition 5.20. Let © 6e an oo-effective complete WSTS. Assume that (6,so) is weakly 
clover- flattable. Then Clover© terminates on so- 

Proof. Let ©i, ipbea continuous flattening of 6, and si be a state of ©i such that <p(si) < sq 
and CoverQ(so) C \,<p(CoverQ 1 (si)) , i.e., Clover&(so) <} f (Clover q 1 (si)) . Write ©i as 

(Si,— Since ©i is flat, every g\ G i 7 ! is in u^u^ • • • mj,, f° r some fixed sequence 
wi,w 2 , ■ ■ ■ ,w m G F-f. 

Extend the action of <p : F\ — > F on words by <p(fif2 ■ ■ ■ fp) = l -p{fi) i p{f2) ■ ■ ■ ¥>(/»)■ 
Thus <p(wi), . . . , <p(w m ) are defined. 

Consider first ip(w\). Apply Lemma 5.19 with g = <p(wi) and s = sq, and get finitely 
many subfamilies of Go, Gi, . . . , G m _i of G = {(/?(u)i) n (so) | n G N, </>(w;i) n (so) is defined} 
satisfying the conditions given in the Lemma. 

For each j such that Gj is a one-element set, say Gj = {<p(wi) n (so)}, observe that 
Clovere will eventually select the pair (ip(wi) n , sq) at line 2. (a) by fairness, and add 
(ifiw^nso) to A. By condition (3), s £ ^i) n (s ), so (</>(™l) n )°°( s o) = <p(wi) n (s ). 
So Clovere wm eventually add ip(wi) n (so) = lub(Gj) to A. 

Still taking the notations of the Lemma, for every j such that Gj contains more than 
one element, Clovers will eventually select the pair (ip(wi) Pj , sq), adding ((^(wi) Pj ') 00 (so) 
to A. Using condition (3) as above, one sees that (ip(wi) Pj )°°(so) = ip(wi) Pj (so). Then, 
by fairness again (and this is the important point in the proof, where lub-acceleration 
is needed), Clover© will eventually select the pair ((p(wi) qj ,(p(wi) Pj (sq)), and therefore 
add (<p(wi)*)™(<p(wiYi(s )) to A. By condition (2), (^(u>i)*)°°Mwi) Pj (so)) is just 
lubM^i)^ + ^ (so) | I G N} = lub(Gj). 

Let again A n be the value of the set A, computed by the procedure Clover© on input 
so, after n iterations of the while statement at line 2. Let A = [J neN A n . We have just 
shown that at some step, say m, Clover© will have added enough elements to A so that 
every element of the form ip(wi) kl (so), k\ G N (provided this is defined), is below some 
element of A ni . 
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Let us proceed with (p(w?). Fix an arbitrary element s of A ni , and apply Lemma 5.19 



with g = <p{w2)- Proceeding as above, we observe that there is an ri2 > n± such that every 
element of the form tp(w2) k2 {s), n G N, is below some element of A n2 . Since s is arbitrary in 
A ril , we conclude that every element of the form (p(w2) k2 (ip(wi) kl (sq)) , k\, k2 G N, is below 
some element of A n2 . 

We now induct on i, 1 < i < m, to show similarly that there is an rtj G N such that 
every element of the form ip(wi) ki (<p(wi-i) ki ~ 1 (. . . p(wi) kl (sq))), where ki,...,ki G N, is 
below some element of A n . . 

In particular, for i = m, writing n for n m : (*) there is an n G N such that every element 
of the form c^(u> m ) fcm ((/?(u>, n _i) fcm ~ 1 (. . . (p{w\) kl (so))), where k\, . . . , k m G N, is below some 
element of A n . We claim that Clover@(so) must stop after step n. 

Let U be the (open) complement of the closed set ],A n , and assume that U intersects 
\,Clover&(so). Then U must also intersect J. p(Clovere l (si)) , hence <p(CloverQ 1 (si)) . (Re- 
member that open subsets are upward-closed.) So (/j -1 (?7) intersects Clover '61 whence 
y _1 (?7) intersects J, Clover<g 1 (si), since y? ~ 1 (? 7) is upward-closed, using the fact that {/ is 



and that ip is monotonic. By Proposition 3.7, ip~ l {U) intersects cl(Cover& 1 (si)). Since ip 
is continuous, (p~ l (U) is open. We now use the fact that an open intersects the closure 
of a set iff it intersects that set. So (p~ l (U) must intersect CoverQ 1 (si). So U intersects 
(f(Covere 1 (si)), say at a. In particular, there is an a\ G S\ such that a < tp(ai), and 
ai < w kl w k2 . . . w^ l (s 1 ), for some natural numbers k2-, • ■ ■ ; k m • 

Since a < tpfa) < f{w kl w k2 ...w^){^>{si)) < ip(w kl w k2 ...w^)(s ) = y{w m ) k ™ 
((p(w m -i) km ~ 1 (■ ■ ■ (p(wi) kl (so))), a is in | A n by (*). But this contradicts the fact that a G U. 
So the complement U of J,A n does not intersect \, Clover 's(so), i.e., \, CloverQ(so) C 4.^4n- 

By Proposition |5.3[ the converse inclusion holds. We conclude that the procedure 
Clovere stops after the nth turn of the loop, because of the fixpoint test at line 2. □ 

Putting together Lemma |5.16| Proposition 5.18 and Proposition 5.20 we obtain: 

Theorem 5.21 (Main Theorem). Let & be an co-effective complete WSTS. The following 
statements are equivalent: 

(1) (&, Sq) is clover-flattable; 

(2) (&, so) is weakly clover-flattable; 

(3) (&,sq) is strongly clover-flattable; 

(4) Clover© (so) terminates. □ 



5.3. Cover- flattability (without the "1" in "Cover"). Turning to non-complete WSTS, 
we define: 

Definition 5.22 (Monotonic Flattening). Let X2 = (X2,-$,<2) be an ordered functional 
transition system. A flattening (X\, if) of X2 is monotonic iff: 
F 

(1) £1 = (Xi,— <i) is an ordered functional transition system; 

(2) and ip : X\ — > X2 is monotonic. 

Definition 5.23 (Cover-Flattable). Let X be an ordered functional transition system, and 
xq be a state. We say that (3£, xq) is cover- flattable iff there is a monotonic flattening (Xx, <f) 
of X, and a state x\ of 3L\ such that: 

(1) ip(xi) = x ; 
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(2) Cover x (x ) = lip(Cover Xl (xi)). 

Definition 5.24 (Weakly Cover- Flattable) . Let X be an ordered functional transition sys- 
tem, and xq be a state. We say that (X, xq) is weakly cover-flattable iff there is a monotonic 
flattening (Xi, tp) of X, and a state x\ of Xi such that: 

(1) cp(xi) < x ; 

(2) and Coverx( x o) C ^(Ccwer^xi)). 

Definition 5.25 (Strongly Cover-Flattable). Let X = (X,—)-) be an ordered functional 
transition system. We say that (X, Xq) is strongly cover-flattable iff there is an rl-automaton 
A, say with initial state qo, such that Coverx(xo) = TTi{CoverxxA( x Oi Qo))- 

Theorem 5.26. Let X = (X, A, <) be an u) -WSTS that is co-effective, in the sense that 
X is oo-effective, i.e., that (Sg)°° is computable for every g G F* . The following statements 
are equivalent: 

(1) (X, xq) is cover-flattable; 

(2) (X, xq) is weakly cover-flattable; 

(3) (X, xq) is strongly cover-flattable; 

(4) (X,j]x(xq)) is (weakly, strongly) clover-flattable; 

(5) Clover ^(?7x(^o)) terminates. 

In this case, Clover ^(r)x( x o)) returns the clover A = Clovere(so), and this is a finite 
description of the cover, in the sense that Coverx( x o) = T) X ^~(\.A). 
Proof. First, that Cloverj(?7x(^o)) computes the clover A is Theorem 



5.5 



and the fact that 

Coverx{xo) = r/^^A), by Proposition 3.9 If we equate X with rjx(X), the latter means 
that the cover is just X D \, A. 



Next, (4) is equivalent to (5), by Theorem 5.21 Note in particular that X is a complete 



WSTS by Theorem 4.4 and is oo-effective by assumption. 

The implications (1) ==> (2) and (3) ==> (1) are clear. For the latter, note that, since 

CoverxxA( x o, Qo) is downward-closed, iri(CoverxxA( x Oi Qo)) = l^iiCoverxxAfaoi Qo))-, anci 
take <p = 7Ti . 

We now show that (2) implies (4), i.e., that if (X,xq) is weakly cover-flattable, then 

(X,T]x( x o)) is weakly clover-flattable. So let Xi = (Xi,-+, <), (p and x\ as in Defini- 
tion 5.24 In particular, (p(x\) < xq and Coverx(xo) C ^ ip {Cover x 1 (x\)) . Let £1 be the 



ideal completion Idl(Xi), with inclusion as ordering, and define the complete transition 

system ©1 = (Si,— ?, Q), where F[ = {Idl(/) | / £ F±}. Idl(/) is the partial continu- 
ous function that maps every ideal D such that D n dom/ 7^ to \.f(D). Remember 
that X = Idl(X). Define ip' : Si — > X as Idl(c^): this is continuous. On transitions, <p>' 
maps Idl(/) to Idl(</?(/)): this is well-defined, as one can recover / from Idl(/), by the fact 
that f[x) = lub(Idl(/)(|x)). So (Si, p') is a continuous flattening of X. Let s\ = \.xi, 
sq = Ixq. We claim that p'(si) C sq, and that Cover^(so) C cl(p' (cl(Cover& 1 (si)))) . The 
first inequality is because p'(si) = Idl(<^)(i-Xi) = \,ip(\.xi) = \,ip(xi) C \,xq = sq, since 
p( x i) < ^0- For the second inequality, let s be any element of Cover^(so). So s C <?(so) 
for some g E F[ . We observe that Idl is a functor, i.e., that Idl of the identity map is the 
identity, and that Idl(<?i#2) = Idl (gi) Idl (52) for all <?i, 52- So, writing 5 as a composition 
5i52 • • • #fc of elements #j = Idl(/ij) of i* 1 ^, 5 equals Idl(/i), where /i = /11/12 . . . £ F* . It fol- 
lows that s C Idl(/i)(|xo) = |/t(»o)' Observe that /i(xq) £ Ccwer^xo) C 4. p{Coverx 1 ( x i)), 
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so s C \,(p(Coverx 1 {xi)). In particular, every element x of the ideal s is below some element 
of the form <p(f(xi)), f G Ff. We observe that x G y/(Idl(/)(si)): indeed, y/(Idl(/)(ai)) = 
Idl(^)(Idl(/)(si)) = Idh>o/)( Sl ) = |(^o f){\,xi) = |(^(/(xi)), and x is in the latter 
since x < ip(f(x\)). >From x G <£'(Idl(/)(si)), and since Idl(/)(si) G Ccwerg^si), we 
deduce that x G (p' {Cover q^si)). Since x is arbitrary in s, s C if' {Covere 1 (si)}, i.e., 
s G J,^ / (Ccwer© 1 (si)) C cZ(<^'(cZ(Couere 1 (si)))). 

Finally, we show that (4) implies (3), i.e., that if (X, ^x^o)) is strongly clover-flattable, 
then (X, xq) is strongly cover- flattable. Let A be an rl-automaton, with initial state qo, such 
that cl(Cover^(r]x(xo))) = cl{TTi{cl(Cover-^ x ^(r]x(xo),Qo))))- We claim that Coverxixo) = 
7Ti{CoverxxA'{ x 0i Qo))i where A' is the automaton obtained from A by replacing each Sg 
transition by a g transition, g G F. (Note by the way that the definition of Sg is the 
same as that of Idl(g) above.) The inclusion from right to left is obvious, so let us show that 
Coverx(xo) C iri(CoverxxA'( x o, Qo))- Let x be any element of Coverx(xo)- So x < g(xo) for 
some g £ F. Then x G ig(x ) = lg(lx ) = Idl(g)(r) X (x )), so |x G Cover^(i] X (x ))- By 
assumption |x is in cl{jT\{cl{Cover^ y ,j i {rjx{xo),qo)))). We may simplify this by observing 
that cl{f{cl{A))) = cl{f{A)) for any continuous map / and any subset A, so that |i G 
cl(ni{Cov er^ x ^(r]x(xo), Qo)))- In X = Idl(X), the closure cl(A) of any downward-closed 
subset A of Idl(X) equals Lub(^4), since Idl(X) is continuous. It follows that, if \,x G cl(A), 
then \,x is the union of a directed family (si) i£l of elements of A; in particular, x is in some 
Si, i £ J, i.e., x is in some element (an ideal) of A. Taking A = 7ri(Cover^ x ^(rjx(xo), Qo)) , 
x is in some ideal s such that (s,q) G Cover^ xj ^(r]x(xo), qo) for some state q of A. That 
is, s C Sg(rj x (xo)) for some 5 = g 1 g 2 . . . gk, where gi,g 2 , ---,gk G F, and g is the state 
obtained by reading the word SgiSg 2 ■ ■ ■ Sgk in A from qQ. In particular, q is also the state 
obtained by reading the word gig 2 ■ ■ ■ gk hi A' from q$. And s C Sg(rjx(xo)) means that 
s G |g(|xo) = 4fi , ( : co)) so x G s implies x < g{xo). In particular, (x,q) G CoverxxA'( x o, qo), 
so x £ ni{CoverxxA'(xo, qo))- □ 

F 

By a slight abuse of language, say that a functional WSTS & = (S",A,<) is cover- 
flattable iff (©, So) is cover-flattable for every initial state so G S. 

Corollary 5.27. Every Petri net, and every VASS, is cover-flattable. 

Proof. The state space of a Petri net on k places is N fc , that of a VASS |HP79| is Q x N fc , 
where Q is a finite set of control states. We deal with the latter, as they are more general. 
Transitions of the VASS X are of the form f(q, x) = (q' ,x + b — a), provided x > a, and where 
a, b are fixed tuples in N fc . It is easy to see that Sf is defined by: Sf(q, x) = (q', x + b — a), 
provided x > a, this time for all x G N^. So the completion 6 of the VASS is oo-effective. On 



algorithm of Section 


4.1 


By Proposition 


5.6 


So X is cover-flattable, 


by Theorem 5.26 





Cloverg terminates on any input sq G Q x N^. 

□ 



Corollary 5.28. There are reset Petri nets, and functional-lossy channel systems that are 
not cover-flattable. 



Proof. One can again show that their completions are oo-effective, see Section 4.5 However 
the cover is undecidable both for reset Petri nets and (functional-)lossy channel systems 
X, so Cl over^ (rjx(xo)) must fail to terminate for some initial state xq- We conclude by 
Theorem |5~26T □ 
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6. Application: Well Structured Counter Systems 

We now demonstrate how the fairly large class of counter systems fits with our theory. 
We show that counter systems composed of affine monotonic functions with upward-closed 
definition domains are complete (strongly monotonic) WSTS. This result is obtained by 
showing that every monotonic affine function / is continuous and its lub-acceleration f°° 
is computable [CFSllJ. Moreover, we prove that it is possible to decide whether a general 
counter system (given by a finite set of Presburger relations) is a monotonic affine counter 
system, but that one cannot decide whether it is a WSTS. 

Definition 6.1. A relational counter system (with n counters), for short an R-counter 
system, C is a tuple C = (Q, R, —>) where Q is a finite set of control states, R = {ri, r2, •••^fc} 
is a finite set of Presburger relations n C N n x N™ and — Q x R x Q. 

We will consider a special case of Presburger relations, those which allow us to encode 
the graph of affine functions. A (partial) function / : N n — > N n is non-negative affine, for 
short affine if there exist a matrix A G pj nx ™ with non-negative coefficients and a vector 
b £ Z n such that for all x G dom/, f(x) = Ax + b. When necessary, we will extend affine 
maps /:r^N"by continuity to / : N™ — > N» by /(lub i6N (xi)) = lub fcN (/(^)) for 
every countable chain (cCi)ieN i n N n . That is, we just write / instead of Sf. 

Definition 6.2. An affine counter system (with n counters), a.k.a. an ACS C = (Q,R,—>) 
is a i?-counter system where all relations rj are (partial) affine functions. 

The domain of maps / in an affine counter system ACS are Presburger-definable. A 
reset /transfer Petri net is an ACS where every line or column of every matrix contains at 
most one non-zero coefficient equal to 1, and, all domains are upward-closed sets. A Petri 
net is an ACS where all affine maps are translations with upward-closed domains. 

Theorem 6.3. One can decide whether an effective relational counter system is an ACS. 

Proof. The formula expressing that a relation is a function is a Presburger formula, hence 
one can decide whether R is the graph of a function. One can also decide whether the graph 
Gf of a function / is monotonic because monotonicity of a Presburger-definable function 
can be expressed as a Presburger formula. Finally, one can also decide whether a Presburger 
formula represents an affine function f(x) = Ax + b with A G pj nxn an d b G Z n , using results 
by Demri et al. |DFCvD06| . □ 

For counter systems (which include Minsky machines), monotonicity is undecidable. 
Clearly, a counter system <3 is well-structured iff (3 is monotonic: so there is no algorithm 
to decide whether a relational counter system is a WSTS. However, an ACS is strongly 
monotonic iff each map / is partial monotonic; this is equivalent to requiring that dom/ 
is upward-closed, since all matrices A have non-negative coefficients. This is easily cast as 
Presburger formula, and therefore decidable. 

Proposition 6.4. There is an algorithm to decide whether an ACS is a strongly monotonic 
WSTS. 

Proof. The strong monotony of an ACS C means that every function of C is monotonic and 
this can be expressed by a Presburger formula saying that all the (Presburger-definable) 
definition domains are upward-closed (the matrices are known to be positive). □ 



32 



A. FINKEL AND J. GOUBAULT-LARRECQ 



We have recalled that the transitions function of Petri nets (/(x) = x + b, b G Z n and 
dom(/) upward-closed) can be lub-accelerated effectively. This result was generalized to 
broadcast protocols (equivalent to transfer Petri nets) by Emerson and Namjoshi |EN98| 
and to another class of monotonic affine functions f(x) = Ax + b such that A G N nxn , 
6 E N" (note that b is not in Z n ) and dom(/) is upward closed |FMP04| . 

[CFSll] recently extended this result to all monotonic affine functions: for every f(x) = 
Ax + b with A G p*J nxn ; b £ Z n and dom(/) upward-closed, the function f°° is recursive. 

We deduce the following strong relationship between well-structured ACS and complete 
well-structured ACS. 

Theorem 6.5. The completion of an ACS S is an oo- effective complete WSTS iff S is a 
strongly monotonic WSTS. 

Proof. Strong monotonicity reduces to partial monotonicity of each map /, as discussed 
above. Well-structured ACS are clearly effective, since Post(s) = {t \ 3f G F ■ /(i) = s} 
is Presburger-definable. Note also that monotonic affine function are continuous, and N™ is 
a continuous dcwo. Finally, for every Presburger monotonic affine function /, the function 
f°° is recursive, so the considered ACS is oo-effective. □ 

Corollary 6.6. One can decide whether the completion of an ACS is an oo-effective com- 
plete WSTS. 

So the completions of reset/transfer Petri nets |DFS98j . broadcast protocols [EFM99J, 
self-modifying Petri nets |Val78| and affine well-structured nets [FMP04J are oo-effective 
complete WSTS. 

7. Conclusion and Perspectives 

We have provided a framework of complete WSTS, and of completions of WSTS, on which 
forward reachability analyses can be conducted, using natural finite representations for 
downward-closed sets. The central element of this theory is the clover, i.e., the set of 
maximal elements of the closure of the cover. We have shown that, for complete WSTS, the 
clover is finite and describes the closure of the cover exactly. When the original WSTS is 
not complete, we have shown the general completion of WSTS defined in [FG09J is still a 
WSTS, iff the original WSTS is an oj 2 - WSTS. This delineates a new, robust class of WSTS: 
all known WSTS are Cl? 2 -WSTS. The property of being an w 2 -WSTS is also important to 
ensure progress in Karp-Miller-like procedures. 

We have also defined a simple procedure, Clovere for computing the clover for oo- 
effective complete WSTS 6. This captures the essence of generalized forms of the Karp- 
Miller procedure, while terminating in more cases. We have shown that that Clovere 
terminates iff the WSTS is clover-flattable, i.e., that it is some form of projection of a 
flat system, with the same clover. We have also shown that several variants of the notion 
of clover-flatt ability were in fact equivalent. We believe that this characterization is an 
important, and non-trivial result. 

In the future, we shall explore efficient strategies for choosing sequences g G F* to lub- 
accelerate in the Clover© procedure. We will also analyze whether Cloverg terminates in 
models such as BVASS [VG05], reconfigurable nets, timed Petri nets [ADMN04aJ, post-self- 
modifying Petri nets |Val78| and strongly monotonic affine well-structured nets [FMP04J), 
i.e., whether they are cover-flattable. 
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One potential use of the clover is in deciding coverability. But the Clover© procedure 
may fail to terminate. This is in contrast to the Expand, Enlarge and Check forward 
algorithm of [GRvB07j, which always terminates, hence decides coverability. One may want 
to combine the best of both worlds, and the lub-accelerations of Clover© can profitably be 
used to improve the efficiency of the Expand, Enlarge and Check algorithm. This remains 
to be explored. 

Finally, recall that computing the finite clover is a first step [EN98J in the direction of 
solving liveness properties (and not only safety properties which reduce to coverability) . We 
plan to clarify the construction of a cloverability graph which would be the basis for liveness 
model checking. 
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